CN109508555A - Isolation is provided in virtualization system using inter-trust domain - Google Patents
Isolation is provided in virtualization system using inter-trust domain Download PDFInfo
- Publication number
- CN109508555A CN109508555A CN201811074901.XA CN201811074901A CN109508555A CN 109508555 A CN109508555 A CN 109508555A CN 201811074901 A CN201811074901 A CN 201811074901A CN 109508555 A CN109508555 A CN 109508555A
- Authority
- CN
- China
- Prior art keywords
- processing unit
- tdrm
- key
- memory
- mot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 312
- 230000015654 memory Effects 0.000 claims abstract description 235
- 238000003860 storage Methods 0.000 claims abstract description 108
- 230000004044 response Effects 0.000 claims abstract description 26
- 238000000034 method Methods 0.000 claims description 66
- 238000007726 management method Methods 0.000 claims description 25
- 238000005259 measurement Methods 0.000 claims description 17
- 238000011068 loading method Methods 0.000 claims description 5
- 238000012423 maintenance Methods 0.000 claims 1
- 230000000875 corresponding effect Effects 0.000 description 46
- 238000010586 diagram Methods 0.000 description 25
- 238000004891 communication Methods 0.000 description 15
- 238000013461 design Methods 0.000 description 13
- 230000002093 peripheral effect Effects 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 230000006399 behavior Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 238000007667 floating Methods 0.000 description 9
- 230000005611 electricity Effects 0.000 description 8
- 230000014509 gene expression Effects 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 238000012856 packing Methods 0.000 description 7
- 230000003068 static effect Effects 0.000 description 7
- 239000000872 buffer Substances 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 6
- 238000013500 data storage Methods 0.000 description 6
- 230000001413 cellular effect Effects 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000000151 deposition Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000002156 mixing Methods 0.000 description 3
- 241001269238 Data Species 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000006073 displacement reaction Methods 0.000 description 2
- 238000011049 filling Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000003550 marker Substances 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000005055 memory storage Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- YIWGJFPJRAEKMK-UHFFFAOYSA-N 1-(2H-benzotriazol-5-yl)-3-methyl-8-[2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carbonyl]-1,3,8-triazaspiro[4.5]decane-2,4-dione Chemical compound CN1C(=O)N(c2ccc3n[nH]nc3c2)C2(CCN(CC2)C(=O)c2cnc(NCc3cccc(OC(F)(F)F)c3)nc2)C1=O YIWGJFPJRAEKMK-UHFFFAOYSA-N 0.000 description 1
- YQYRYHNCVCFNHU-UHFFFAOYSA-N 1-ethyl-4-phenyl-3,6-dihydro-2h-pyridine Chemical compound C1N(CC)CCC(C=2C=CC=CC=2)=C1 YQYRYHNCVCFNHU-UHFFFAOYSA-N 0.000 description 1
- SBMYBOVJMOVVQW-UHFFFAOYSA-N 2-[3-[[4-(2,2-difluoroethyl)piperazin-1-yl]methyl]-4-[2-(2,3-dihydro-1H-inden-2-ylamino)pyrimidin-5-yl]pyrazol-1-yl]-1-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)ethanone Chemical compound FC(CN1CCN(CC1)CC1=NN(C=C1C=1C=NC(=NC=1)NC1CC2=CC=CC=C2C1)CC(=O)N1CC2=C(CC1)NN=N2)F SBMYBOVJMOVVQW-UHFFFAOYSA-N 0.000 description 1
- VLHWNGXLXZPNOO-UHFFFAOYSA-N 2-[4-[2-(2,3-dihydro-1H-inden-2-ylamino)pyrimidin-5-yl]-3-(2-morpholin-4-ylethyl)pyrazol-1-yl]-1-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)ethanone Chemical compound C1C(CC2=CC=CC=C12)NC1=NC=C(C=N1)C=1C(=NN(C=1)CC(=O)N1CC2=C(CC1)NN=N2)CCN1CCOCC1 VLHWNGXLXZPNOO-UHFFFAOYSA-N 0.000 description 1
- LHMQDVIHBXWNII-UHFFFAOYSA-N 3-amino-4-methoxy-n-phenylbenzamide Chemical compound C1=C(N)C(OC)=CC=C1C(=O)NC1=CC=CC=C1 LHMQDVIHBXWNII-UHFFFAOYSA-N 0.000 description 1
- 101000625226 Homo sapiens Melanoregulin Proteins 0.000 description 1
- 102100024976 Melanoregulin Human genes 0.000 description 1
- MKYBYDHXWVHEJW-UHFFFAOYSA-N N-[1-oxo-1-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)propan-2-yl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C(C(C)NC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F)N1CC2=C(CC1)NN=N2 MKYBYDHXWVHEJW-UHFFFAOYSA-N 0.000 description 1
- NIPNSKYNPDTRPC-UHFFFAOYSA-N N-[2-oxo-2-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)ethyl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C(CNC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F)N1CC2=C(CC1)NN=N2 NIPNSKYNPDTRPC-UHFFFAOYSA-N 0.000 description 1
- AFCARXCZXQIEQB-UHFFFAOYSA-N N-[3-oxo-3-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)propyl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C(CCNC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F)N1CC2=C(CC1)NN=N2 AFCARXCZXQIEQB-UHFFFAOYSA-N 0.000 description 1
- VCUFZILGIRCDQQ-KRWDZBQOSA-N N-[[(5S)-2-oxo-3-(2-oxo-3H-1,3-benzoxazol-6-yl)-1,3-oxazolidin-5-yl]methyl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C1O[C@H](CN1C1=CC2=C(NC(O2)=O)C=C1)CNC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F VCUFZILGIRCDQQ-KRWDZBQOSA-N 0.000 description 1
- 101100285899 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SSE2 gene Proteins 0.000 description 1
- JAWMENYCRQKKJY-UHFFFAOYSA-N [3-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-ylmethyl)-1-oxa-2,8-diazaspiro[4.5]dec-2-en-8-yl]-[2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidin-5-yl]methanone Chemical compound N1N=NC=2CN(CCC=21)CC1=NOC2(C1)CCN(CC2)C(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F JAWMENYCRQKKJY-UHFFFAOYSA-N 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000005138 cryopreservation Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004134 energy conservation Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000009499 grossing Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 210000003127 knee Anatomy 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- COCAUCFPFHUGAA-MGNBDDOMSA-N n-[3-[(1s,7s)-5-amino-4-thia-6-azabicyclo[5.1.0]oct-5-en-7-yl]-4-fluorophenyl]-5-chloropyridine-2-carboxamide Chemical compound C=1C=C(F)C([C@@]23N=C(SCC[C@@H]2C3)N)=CC=1NC(=O)C1=CC=C(Cl)C=N1 COCAUCFPFHUGAA-MGNBDDOMSA-N 0.000 description 1
- 229910052754 neon Inorganic materials 0.000 description 1
- GKAOGPIIYCISHV-UHFFFAOYSA-N neon atom Chemical compound [Ne] GKAOGPIIYCISHV-UHFFFAOYSA-N 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 210000000056 organ Anatomy 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/0223—User address space allocation, e.g. contiguous or non contiguous base addressing
- G06F12/0292—User address space allocation, e.g. contiguous or non contiguous base addressing using tables or multilevel address translation means
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/10—Providing a specific technical effect
- G06F2212/1052—Security improvement
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Abstract
Realization is described provides isolation using inter-trust domain in virtualization system.In one implementation, processing unit includes memory ownership table (MOT), for the accessed control of softward interview.Processing unit further includes processing core to execute inter-trust domain resource manager (TDRM) Lai Guanli inter-trust domain (TD), maintain inter-trust domain control structure (TDCS) with the global metadata for managing each TD, maintain the execution state of the TD at least one inter-trust domain thread control structure (TD-TCS), the TD-TCS is for the accessed control of softward interview, and with reference to MOT to obtain at least one key identifier (key ID) for corresponding to the encryption key for assigning to TD, key ID allows processing unit to decrypt the storage page for executing and assigning to TD in the context of TD in response to processing unit, the storage page for assigning to TD passes through encryption keys.
Description
This disclosure relates to computer system;More particularly, to using inter-trust domain to provide isolation in virtualization system.
Background technique
Modern processing unit encrypts to protect static data using disk.However, the data in memory are plaintexts, and
And it is easy under attack.Various technologies can be used in attacker, sweep including scan bus, memory based on software and hardware
It retouches, hardware detecting etc. retrieves data from memory.This data from memory may include sensitive data, for example, hidden
Private sensitive data, IP sensitive data, and further include the key for file encryption or communication.Using by cloud service provider
There is provided based on the trusteeship service of virtualization by the case where data and the current trend that is moved in cloud of enterprise work load into
One step exacerbates the exposure of data.
Detailed description of the invention
Figure 1A be show according to one realize the example calculations system of isolation is provided in virtualization system using inter-trust domain
The block diagram of system.
Figure 1B be show according to one realize another example meter of isolation is provided in virtualization system using inter-trust domain
The block diagram of calculation system.
Fig. 2A is the exemplary block diagram for the inter-trust domain framework realized according to one.
Fig. 2 B is another exemplary block diagram for the inter-trust domain framework realized according to one.
Fig. 3 is the other exemplary block diagram for the inter-trust domain framework realized according to one.
Fig. 4 is the stream for the exemplary method for providing isolation in virtualization system using inter-trust domain realized according to one
Cheng Tu.
Fig. 5 be according to one realize for when providing isolation in virtualization system using inter-trust domain executing inter-trust domain
Exit the flow chart of the exemplary method of routine.
Fig. 6 be according to one realize for when providing isolation in virtualization system using inter-trust domain executing inter-trust domain
Into the flow chart of the exemplary method of routine.
Fig. 7 A is the block diagram for showing the micro-architecture for processor, wherein a realization of the disclosure can be used.
Fig. 7 B is to show at least one realization according to the disclosure come the ordered assembly line realized and register renaming rank
The block diagram of section, unordered publication/execution pipeline.
Fig. 8 shows the block diagram for the micro-architecture for processing unit realized according to one, and the processing unit includes using
In the logic circuit of isolation is provided in virtualization system using inter-trust domain.
Fig. 9 is the block diagram for the computer system realized according to one.
Figure 10 is the block diagram according to the computer system of another realization.
Figure 11 is the block diagram for the system on chip realized according to one.
Figure 12 shows another realization of the block diagram of computing system.
Figure 13 shows another realization of the block diagram of computing system.
Specific embodiment
It describes and provides the framework of isolation in virtualization system using inter-trust domain (TD).Calculate aspect current trend be
By the way that data and enterprise work load are placed in cloud using the trusteeship service provided by cloud service provider (CSP).Due to
Hosted data and enterprise work load, the client (herein referred as tenant) of CSP are just better for its workload request in cloud
Safety and isolation solution.Specifically, client, which is just searching, enables except the trusted computing base (TCB) of tenant's software
The operation of the solution for the software that CSP is provided.The TCB of system refers to hardware, firmware and/or component software set, with shadow
Ring the believable ability to system integrated operation.
In the realization of the disclosure, provides and extended (herein referred as the TD framework and instruction set architecture (ISA) of TD framework
TD extension (TDX)) for client (tenant) software for executing in incredible CSP infrastructure provides confidentiality (and completely
Property).TD framework (it can be system on chip (SoC) ability), in TD workload and CSP software (such as the virtual machine pipe of CSP
Reason device (VMM)) between isolation is provided.The component of TD framework may include 1) encrypting (MK-TME) engine via MK- total memory
Memory encryption, 2) resource management capacity, herein referred as inter-trust domain resource manager (TDRM);TDRM can be virtual machine prison
The software extensions and 3 of visual organ (VMM)) via the memory ownership table (MOT) of CPU management and via CPU access control
The execution state and memory isolation ability in processor that TD control structure provides.TD framework provides processor deployment TD's
Ability, the TD utilize the TD control structure of MK-TME engine, MOT and access control with the safety behaviour for TD workload
Make.
In one implementation, the software of tenant uses the framework conceptual execution of referred to as TD.TD(is also referred to as tenant TD) refer to rent
Family workload (for example, it can only include operating system (OS) together with the other ring-3 application run on OS, or
The virtual machine (VM) run on VMM is together with other ring-3 applications).Each TD is operated independently of other TD in system,
And use one or more logic processors, memory and the I/O assigned by TDRM on platform.At least using MK-TME engine
Each TD is cryptographically isolated in one exclusive encryption key in memory, (to protect for encrypting with the associated memory of inter-trust domain
Hold code and/or data).
In the realization of the disclosure, the TDRM in TD framework serves as the host of TD and has to core and other platform hardwares
Fully control.TDRM is that the software in TD assigns one or more logic processors.However, TDRM cannot be the one of assignment
The execution state of TD is accessed on a or multiple logic processors.Similarly, TDRM arrives physical storage and I/O resource assignation
TD, but due to using by the other integralities and playback on the CPU of the every TD independent encryption key enforced and memory
Control, it is ignorant to the memory state of access TD.The software executed in TD is operated by reduced permission, so that TDRM can
To keep the control to platform resource.However, TDRM cannot influence TD shape in memory or CPU structure in the case where definition
The confidentiality or integrality of state.
Conventional system for providing isolation in virtualization system not exclusively extracts CSP software from the TCB of tenant.This
Outside, the independent chipset subsystem that the realization that the disclosure can be used in conventional system avoids increases TCB significantly.The disclosure
The TD framework of realization by clearly reducing TCB, provided by removing CSP software from TCB client's (tenant) workload with
Isolation between CSP software.Security isolation is provided by loading (tenant TD) for CSP Client Work, realization is provided to routine
The technological improvement of system, and allow to remove CSP software from the TCB of client, while meeting safety and the Functional Requirement of CSP.
In addition, TD framework may be scaled to multiple TD, multiple tenant's workloads can be supported.In addition, TD framework described herein is logical
, and can be applied to any dynamic random access memory (DRAM) or the storage based on storage class memory (SCM)
Device (such as non-volatile dual-in-line memory module (NV-DIMM)).In this way, the realization of the disclosure allows software utility
Benefit (such as directly accesses storage (DAS) mode for the NVDIMM of SCM), without damaging platform security requirement.
Figure 1A is showing according to the computing system 100 for providing isolation in virtualization system using TD of the realization of the disclosure
Meaning property block diagram.Virtualization system 100 includes the virtualized server 110 for supporting multiple client device 101A-101C.Virtualization
Server 110 includes that at least one processor 112(of execution TDRM 180 is also referred to as processing unit).TDRM 180 may include
One or more TD 190A-190C(, which can be instantiated, may have access to by client terminal device 101A-101C via network interface 170)
VMM(be referred to as management program).Client terminal device 101A-101C can include but is not limited to desktop PC, put down
Plate computer, laptop computer, net book, notebook computer, PDA(Personal Digital Assistant), server, work station, bee
Cellular telephone, mobile computing device, smart phone, the Internet facilities or any other type computing device.
TD can refer to tenant (for example, client) workload.For example, tenant's workload can only include OS together in OS
On other ring-3 application for running, or may include that the VM run on VMM is applied together with other ring-3.At this
In disclosed realization, individual exclusive key can be used in each TD is cryptographically isolated in memory, for encryption and TD
Associated memory (keeping code and data).
Processor 112 may include one or more core 120(also referred to as handle core 120), range registers 130, storage
Device administrative unit (MMU) 140 and one or more output ports 150.Figure 1B is that execution is credible with MOT 160 and one or more
The place of the TDRM 180 of 128 communication of domain control structure (TDCS) 124 and one or more inter-trust domain thread control structures (TDTCS)
The schematic block diagram of the detailed view of device core 120 is managed, as shown in Figure 1A.TDTCS and TD-TCS can be interchangeable herein
It uses.It includes but is not limited to desktop PC, tablet computer, laptop computer, online that processor 112, which can be used in,
Sheet, notebook computer, PDA, server, work station, cellular phone, mobile computing device, smart phone, the Internet facilities or
In the system of the computing device of any other type.In a further implementation, processor 112 can be used in SoC system.
Computing system 100 is indicated based on the available PENTIUM of Intel Company from California Santa Clara
The processing system of III, PENTIUM 4, Xeon, Itanium, XScale and/or StrongARM micro treatmenting device
System, although other systems also can be used (including the PC with other micro treatmenting devices, engineering work station, set-top box etc.).
In one implementation, sample system 100 executes the available WINDOWS behaviour of Microsoft Corporation from State of Washington Redmond
Make the version of system, although other operating systems (for example, UNIX and Linux), embedded software and/or figure also can be used
User interface.Therefore, any specific combination for being practiced without limitation to hardware circuit and software of the disclosure.
One or more processing core 120 executes the instruction of system.Handling core 120 includes but is not limited to for acquisition instruction
Pre-acquiring logic, the decode logic for solving code instruction, execution logic for executing instruction etc..In the implementation, system is calculated
System 100 includes the component of such as processor 112, to use the execution unit including the logic for executing algorithm for handling
Data.
Virtualized server 110 includes main memory 114 and auxiliary storage 118, to store program binary file and OS
Driving event.Data in auxiliary storage 118 can store in the block of referred to as page, and each page can correspond to physics and deposit
Memory address set.Virtualized server 110 can use virtual storage management, wherein being run by one or more cores 120
Application (such as TD 190A-190C) using being mapped to the virtual memory address of guest-physical memory address, and visitor
Physical memory address is mapped to host/system physical address by MMU 140.
Core 120 can execute MMU 140, and page is loaded into main memory 114(from auxiliary storage 118, it includes volatibility
Memory and/or nonvolatile memory) in, more with the software for being run by ((for example, in core)) on processor 112
It accesses fastly.When one in TD 190A-190C attempts to access that the physics for corresponding to the page being loaded into main memory 114 is deposited
When the virtual memory address of memory address, MMU 140 returns to requested data.Core 120 can execute the VMM of TDRM 180
Guest physical address to be converted to the host-physical address of main memory by part, and providing allows core 120 to read, traverse
(walk) and explain these mapping agreements parameter.
In one implementation, processor 112 realizes the TD framework and ISA extension (TDX) for being used for TD framework.TD framework provides
TD workload 190A-190C and the CSP software executed on processor 112 are (for example, TDRM 180 and/or CSP VMM(
Such as, root VMM 180)) between isolation.The component of TD framework may include 1) via the memory encryption of MK-TME engine 145,
2) it is herein referred as the resource management capacity of TDRM 180 and 3) via MOT 160 and via the TD control structure of access control
The execution state and memory isolation ability in processor 112 that (that is, TDCS 124 and TDTCS 128) is provided.TDX framework mentions
The ability of TD 190A-190C is disposed for processor 112, TD 190A-190C utilizes MK-TME engine 145, MOT 160 and access
The TD control structure (that is, TDCS 124 and TDTCS 128) of control is with the safety operation for TD workload 190A-190C.
In the realization of the disclosure, TDRM 180 serves as host and the complete control with core 120 and other platform hardwares
System.TDRM 180 is that the software in TD 190A-190C assigns one or more logic processors.However, TDRM 180 cannot
The 190A-190C for accessing the TD on assigned one or more logic processors executes state.Similarly, TDRM 180 will
Physical storage and I/O resource assignation are to TD 190A-190C, but due to other on individual encryption key and memory
Integrality and playback control, it is ignorant to the memory state of access TD 190A.
Relative to individual encryption key, processor can use MK-TME engine 145 to encrypt (and decryption) and execute
The memory that period uses.(TME) is encrypted by total memory, by any memory access of the software executed on core 120
Asking can be encrypted in memory by encryption key.MK-TME is the enhancing to TME, is allowed using multiple encryption keys
(number of keys of support is that realization is relevant).Processor 112, which can use MK-TME engine 145, to be come using different MK-TME
Key encrypts different pages.MK-TME engine 145 can utilize in TD framework described herein, to support every TD 190A-
One or more encryption keys of 190C, to help to realize the crypt-isolation between different CSP Client Work loads.For example, working as
When using MK-TME engine 145 in TD framework, it is all to encrypt TD(that CPU default enforces TD specific key to be used
Page).In addition, TD can further be selected as specific TD pages of plaintext or selection uses the difference opaque to CSP software short
Specific TD pages of temporary key encryption.
Each TD 190A-190C is supported by VMM(for example, using virtual machine extension (VMX)), OS and/or application software
The software environment for the software stack that (by OS trustship) forms.Each TD 190A-190C is operated independently of other TD 190A-190C,
And use one or more logic processors, memory and the I/O assigned by the TDRM 180 on platform.In TD 190A-190C
The software of middle execution is operated by the privilege of reduction, and TDRM 180 is allowed to keep the control to platform resource;However,
In the case of definition, TDRM cannot influence the confidentiality or integrality of TD 190A-190C.TD is more fully described with regard to Figure 1B below
The other details of framework and TDX.
The disclosure is practiced without limitation to computer system.The alternative realizations of the disclosure can be used in other devices, such as
Hand-held device and Embedded Application.Some examples of hand-held device include cellular phone, the Internet protocol device, digital camera,
PDA(Personal Digital Assistant) and Hand held PC.Embedded Application may include microcontroller, digital signal processing device (DSP), piece
Upper system, network computer (NetPC), set-top box, network backbone, wide area network (WAN) interchanger or can be according at least one
Realize any other system for executing one or more instructions.
It can be realized in described in the text up and down one of single processing unit desktop computer or server system, but it is standby
It may include in multiprocessing apparatus system that choosing, which is realized,.Computing system 100 can be the example of " maincenter " system architecture.Calculate system
System 100 includes processor 112 to handle data-signal.As an illustrated example, processor 112 includes complex instruction set meter
Calculation machine (CISC) micro treatmenting device, reduced instruction set computing (RISC) micro treatmenting device, very long instruction word (VLIW) micro process dress
Set, realize the processing unit or any other processing unit of instruction set combination (for example, such as digital signal processing device).Processing
Device 112 is coupled to processing unit bus, other components of the processing unit bus in processor 112 and computing system 100
Transmission data-signal, store instruction, data or its any group between (such as main memory 114 and/or auxiliary storage device 118)
It closes.Other components of computing system 100 may include graphics accelerator, memory controller hub, I/O controller center, wireless
Transceiver, flash BIOS, network controller, Audio Controller, serial expansion port, I/O controller etc..The execution pair of these elements
The well-known conventional func of those skilled in the art.
In one implementation, processor 112 includes 1 grade of (L1) internal cache memory.Depending on framework, processor
112 can have single internally cached or multiple-stage internal cache.Other realize includes inside and outside cache
The combination (depending on concrete implementation and needs) of the two.Register file will be in various registers (including integer registers, floating-point
Register, vector registor, accumulation (banked) register, shadow register, checkpoint register, status register, configuration
Register and instruction pointer register) in the different types of data of storage.
It should be noted that execution unit may or may not have floating point unit.In one implementation, processor 112 includes
For storing microcode (ucode) ROM of microcode, to execute when being executed multiple for the algorithm of certain macro-instructions or disposition
Miscellaneous situation.Here, microcode is potentially renewable, to dispose logic error/reparation of processor 112.
The alternative realizations of execution unit may be also used in microcontroller, embedded processing device, graphics device, DSP and its
In the logic circuit of its type.System 100 includes that main memory 114(is referred to as memory 114).Main memory 114 wraps
Include DRAM device, Static Random Access Memory (SRAM) device, flash memory device or other memory devices.Main memory 114
Store the instruction and/or data by be indicated by the data-signal that processor 112 executes.Processor 112 is total via processing unit
Line is coupled to main memory 114.The system logic chip of such as memory controller hub (MCH) may be coupled to processing unit
Bus and main memory 114.MCH can be provided to the high bandwidth memory path of main memory 114, to be used for instruction and data
Storage and for graph command, data and texture storage.For example, MCH can be used in processor 112,114 and of main memory
Data-signal, and the bridge between processing unit bus, memory 114 and system I/O are guided between other components in system 100
Connect data-signal.MCH can be coupled to memory 114 by memory interface.In some implementations, system logic chip can be with
Graphics port is provided, to be coupled to graphics controller for interconnecting by accelerated graphics port (AGP).
Computing system 100 can also include I/O controller center (ICH).ICH can be provided via local I/O bus and be arrived
Some I/O devices are directly connected to.Local I/O bus is for connecting a peripheral to memory 114, chipset and processor
112 High Speed I/O bus.Some examples are Audio Controller, firmware maincenter (flash BIOS), wireless transceiver, data storage
Device leaves I/O controller, serial expansion port (such as universal serial bus comprising user's input and keyboard interface
And network controller (USB)).Data storage device may include hard disk drive, floppy disk drive, CD-ROM device, dodge
Cryopreservation device or other mass storage devices.
Another realization for system, the instruction executed by process as described above device core 120 can be with systems on chip
It is used together.A kind of realization of system on chip includes processing unit and memory.The memory of one such system is flash memory.It dodges
Depositing can be located on tube core identical with processing unit and other system components.In addition, such as Memory Controller or figure control
Other logical blocks of device processed can also be located in system on chip.
With reference to Figure 1B, this figure depicts the block diagram of the processor 112 of the Figure 1A realized according to one of the disclosure.At one
In realization, processor 112 can be executed via single core 120 or across several cores 120 using stack 101.As discussed above, locate
Reason device 112 can provide TD framework and TDX come for (in insincere cloud service provider (CSP) infrastructure) client/
The client software run in tenant (i.e. TD 190A) provides confidentiality (and integrality).TD framework provides: via MOT's 160
Memory isolation;CPU state isolation (it combines the CPU key management via TDCS 124 and/or TDTCS 128);And it uses
In the CPU Measurement infrastructure of TD 190A software.
In one implementation, TD framework provides ISA extension (referred to as TDX), supports the application (virtualization of OS and OS management
With it is non-virtualized) secret operation.Platform (platform such as including processor 112) with enabled TDX, which can rise, to be claimed
For the effect of multiple crypto contexts of TD.To depict single TD 190A in Figure 1B convenient for explaining.Each TD 190A can be with
Run VMM, VM, OS and/or application.For example, TD 190A is depicted as trustship VM 195A.
In one implementation, TDRM 180 may include as the functional part (for example, root VMM) of VMM.VMM can be with
Refer to software, firmware or hardware to create, run and manage virtual machine (VM), such as VM 195A.It should be noted that VMM can be created
Build, run and manage one or more VM.As depicted, VMM 110 is included as the one or more of processing unit 122
Handle the component of core 120.VMM 110 can create and run VM 195A and by one or more virtual processors (for example,
VCPU) it is assigned to VM 195A.VM 195A is properly termed as visitor 195A herein.VMM can permit VM 195A access bottom and calculate
The hardware of system (such as computing system 100 of Figure 1A).VM 195A can execute guest operating system (OS).VMM can be managed
The execution of visitor OS.Visitor OS can work to control the virtual processor of VM 195A to the bottom hardware of computing system 100
With the access of software resource.It should be noted that VMM can be managed when there is many VM 195A operated in processing unit 112
Manage each of the visitor OS executed on many visitors.In some implementations, VMM can be realized by TD 190A to manage VM
195A.This VMM can be referred to as tenant VMM and/or non-root VMM, and be discussed in further detail below.
TD management level of the TDX also for the referred to as TD framework of TDRM 180 provide programming interface.TDRM can be implemented as CSP/
The part of root VMM.The operation of the management of TDRM 180 TD 190A.Although TDRM 180 can be assigned to TD 190A and be managed such as
The resource of CPU, memory and input/output (I/O), TDRM 180 are designed to operate except the TCB of TD 190A.System
TCB refer to hardware, firmware and/or component software set, the believable ability with influence system integrated operation.
In one implementation, therefore TD framework is the ability for protecting the software run in TD 190A.As discussed above
, the component of TD framework may include 1) via the TME engine that there is the multi-key cipher to TME to extend (for example, the MK-TME of Figure 1A
Engine 145) memory encryption, 2) software resource management level (TDRM 180) and 3) execution state in TD framework and deposit
Reservoir isolating power.
Fig. 2A is the block diagram for describing the exemplary computing system for realizing TD framework 200.TD framework 200 is supported two kinds of
TD.The TD of the first kind is TD, wherein tenant trust CSP with enforce confidentiality and do not realize the disclosure realization TD
Framework.Such TD that leaves is depicted as TD1 210.TD1 210 is the CSP for the TCB 202 that there is CSP VMM to manage
TD.TD1 210 may include the CSP VMM 212 and/or one or more tenant VM 216A, 216B for managing CSP VM 214.
In this case, tenant VM 216A, 216B are managed by the CSP VMM 212 in 216A, 216B TCB 202 of VM.At this
In disclosed realization, tenant VM 216A, 216B still can use through in thus model TME or MK-TME(further below
Description) memory encryption.
Other types of TD is TD, and wherein tenant distrusts CSP to enforce confidentiality, and therefore dependent on having
The CPU of the TD framework of the realization of the disclosure.Such TD is shown as TD2 220 and TD3 230 in two kinds of variants.It shows
TD2 220 has virtualization mode (such as VMX), by running in the TD2 220 of tenant VM 225A, 225B to management
Tenant VMM(non-root) 222 utilize.TD3 230 does not include the software using virtualization mode, but opposite directly in TD3
The OS 235 of enlightened (enlighten) is run in 230.There is hardware to enforce TCB 204 by TD2 220 and TD3 230
Tenant TD, as described in the realization in the disclosure.In one implementation, TD2 220 or TD3 230 can with relative to figure
The TD 190A of 1A and/or 1B description is identical.
TDRM 180 manages the life cycle of the TD 210,220,230 of all three types, the distribution including resource.So
And TDRM 180 is not in the TCB of TD type TD2 220 and TD3 230.TD framework 200 is not to the number of TD movable in system
Amount or mixing apply any framework and limit.However, software and certain hardware limitations in specific implementation may due to other constraints
It is limited in the quantity of the TD concurrently run in system.
Fig. 2 B is the exemplary block diagram for describing the interaction between TD framework 250 and TD 220 and TDRM 280.At one
In realization, TD 220 and TDRM 280 are identical as the counterpart described with regard to Fig. 2A.TD framework 250 can be with the meter by Figure 1A and 1B
The TD framework 200 for calculating TD framework and/or Fig. 2A that device 100 provides is identical.It is movable in system that TD framework 250 provides management
The layer of the life cycle of TD.The processor operation format operated by referred to as TDX is supported to provide the processor of TD.There are two kinds
The TDX of type is operated: resource manager operation and tenant's operation.In general, TDRM 180 is transported in the operation of TDX resource manager
Capable and TD(such as TD2 220) it is run in TDX tenant's operation.Transfer between resource manager operation and tenant's operation
Referred to as TDX transfer.
There are two kinds of TDX to shift: TD enters 270 and TD and exits 260.It is operated from the operation of TDX resource manager to TDX tenant
Transfer be known as TD into 270.It is known as TD to the transfer that TDX resource manager operates from TDX tenant's operation and exits 260.
Processor behavior in the operation of TDX resource manager is similar with the processor behavior except TDX operation.The main distinction
It is that TDX operation (TDX instruction) set is available, and the value that can be loaded into certain control registers is constrained to limit
Determine the mode and ability of TDRM 180.
Processor behavior in TDX tenant's operation is similarly defined to promote to be isolated.For example, instead of normal operations, certain
A little events make TD exit 260 to TDRM 180.These TD, which exit 260, does not allow TDRM 180 to modify 220 behavior of TD or state.
TDRM 180 keeps the control to platform resource using platform capabilities.Software can be used in the software run in TD 220 can
Information is seen to determine that it is just running in TD 220, and local can be enforced to the Add-ons being loaded into TD 220
Measurement strategies.However, executing the security status of verifying TD 220 by remote proving side to ensure confidentiality.
TD framework 250 is designed to minimize the compatible shadow to the software for relying on virtualization when running in TD 220
Ring, and therefore, make VM 225A, the 225B that are run in tenant operates and the tenant VMM 222 that is run in tenant's operation it
Between most of interactions it is constant.If there is no there is VMM 222 in TD 220, can modify VM OS with TDRM 180 1
Work is played as root VMM.
In one implementation, TDRM 180 can clearly determine that so that TD is exited 260 such as termination TD 120 or management deposits
Memory resource (for example, generating the memory resource of assignment, request free storage resources etc.).TD framework 250 is also TDRM
180, which provide pressure TD, exits 260 with the ability for pre-empted (preemption).It is exited on 260 in TD, TD framework is forced real
It applies and the execution state of TD 220 is stored in the memory for the CPU access control for being assigned to TD 220, and the execution shape
State using TD 220 sightless to TDRM 180 or other TD unique-encryption key (further described below) Lai Jiami with
Protect the confidentiality of TD state from TDRM 180 or other TD.It can similarly be protected via the integrity control to memory
It protects TD and executes state from cheating, remapping and/or reset.
It is the supplement event that 260 are exited to TD that TD, which enters 270,.For example, when TDRM 180 dispatches TD 220 at logic
It runs and will execute when being transferred to the software run in TD 220 on reason device, TD can occur into 270.Enter 270 in TD
Period, TD framework 250, which enforces, is stored in the execution state of TDRM 180 in the memory possessed by TDRM, the execution
State is encrypted using the unique-encryption key for being assigned to be used alone by TDRM 180.
TDCREATE(can be used to create TDCS in the TD of such as TD 220), TDTCREATE(to be to create TD-TCS) and
TDADDPAGE instruction is arranged by TDRM 180, the memory for making to belong to TD 220 be encrypted (use to TDRM 180 or its
The unique-encryption key of its TD invisible or inaccessible TD).Before execution belongs to any instruction of TD, only using TD
All TD memories of one key pair are encrypted.Although, can be in the realization of the disclosure herein with reference to specific instruction name
Middle other titles using instruction, and it is not limited to specific names provided herein.
In one implementation, TDRM 180 can pass through small software image (similar to IBB or initial after signature verification
Bootstrap block) each TD 220 of starting, and IBB measurement is recorded using platform credible root (for then proving).Exactly in TD
The measurement that the IBB software executed in 220 is responsible for completing TD 220 starts and requests additional resource from TDRM 180.TD 220 has
To entire TD 220 using single encryption key or when being run in TD 220, to different tenant VM 225A, 225B(and/or
The different memory resource of container or such as NVRAM) use the selection of additional encryption key.Therefore, as setting TD 220 first
When, MK-TME key that TD 220 is generated using exclusive CPU-.Hereafter, TD 220, which can be optionally, operates in TD 220
Context (for example, tenant VM 225A and 225B, the container or other type of memory) setting of each tenant's software management is additional
MK-TME encryption key.
In order to minimize two VMM(for CSP for example, TDRM root VMM 180 and tenant VMM 222) software compatibility
Property influence, virtualization (for example, VMX) operation can keep not modifying in the TD 220 in TD framework 250.Similarly, VMM is soft
The operation of part, such as extension page table (EPT) management, may remain under the control of tenant VMM 222 (if one in TD
It is movable in 220 and is not managed by TDRM 180).When TDRM 180 is that each TD 220 assigns physical storage, TD
Framework 250 includes MOT(that is, the MOT 160 described with regard to Figure 1A and 1B).Processor 112 seeks advice from the MOT that TDRM 180 is managed to incite somebody to action
The distribution of memory assigns to TD 220.The entire ability of this memory for allowing TDRM 180 to manage as resource, without having
There is any visibility to the data in the TD memory for residing in assignment.In some implementations, as discussed above, platform
(for example, root) VMM and TDRM 180 can be in identical encryption key domain, therefore shared memory management and scheduler function
(but still being maintained at except the TCB of tenant).
Fig. 3 is another exemplary block diagram for describing TD framework 300.TD framework 300 depicts the I/O concept of TD.At one
In realization, TD framework 300 can permit all I/O devices (for example, NIC 320, storage device 330, single input/output void
Quasi-ization (SR-IOV) NIC 240 etc.) it is attached to TD1 210, CSP and TDRM(is trusted for example, leaving TD 1 210).At one
In realization, TD framework 300, which can not allow directly to assign to device (including SR-IOV and scalable I/O), distrusts CSP soft
The TD(of such as tenant TD2 220 of part is for example, tenant TD2 220).On the contrary, TDRM 180 can be provided in CSP TD(for example
TD1 210) and other TD(such as tenant TD 2 220) between shared memory 310 ability, in non-CSP TD(for example,
Tenant TD2 220) in realize synthesis (" syn ") device (for example, syn NIC 325, syn storage device 335).In some realizations
In, distrust the tenant TD(such as tenant TD2 220 of CSP software) it can be responsible for protecting I/O data.TD framework 300 can not
The I/O data that protection is exposed via shared memory 310.It in some implementations, can be by using showing between communication end point
There is security protocol to protect I/O data.
Referring back to Figure 1B, MOT 160(its be properly termed as TD-MOT) be the structure managed by processor 112, such as table,
TD, such as TD 190A are executed to enforce to assign to pages of physical memory.Processor 112 is also forced using MOT 160
Implementation physical address as referenced by the software operated as tenant TD 190A or TDRM 180, which cannot access, not yet explicitly to be assigned to
Its memory.
MOT 160 is enforced with properties.Firstly, the software except TD 190A should not can be visited with plaintext version
Ask that (read/write/execution) belonging to different TD(, this includes TDRM 180) any memory.Secondly, assigning to spy via MOT 160
Determine TD(such as TD 190A) storage page, should from any processor in system may have access to (wherein processor is just executed and is deposited
The TD that reservoir is assigned to).
160 structure of MOT is used to keep the metadata attributes of each 4KB storage page.Can for additional page size (2MB,
1GB) define additional structure.The metadata of each 4KB storage page is by physical page address direct index.In other implementations,
Its page size can be supported by layered structure (as page table).
4KB pages referred in MOT 160 may belong to a running example of TD 190A.It is referred in MOT 160
4KB pages can be efficient memory or labeled as invalid (therefore for example can be IO).In one implementation, each TD example
190A includes a page for keeping the TDCS 124 for the TD 190A.
In one implementation, MOT 160 is aligned and is occupied on the memory heap boundaries of 4KB and protected after platform initialization
Shield is from the physically contiguous memory area by softward interview.In the implementation, MOT is micro-architecture structure, and cannot be by
Software directly accesses.Architecturally, MOT 160 is that each 4KB host-physical memory page keeps following security attributes:
162-invalidating of page status position (whether page is efficient memory)
Page classification-DRAM, NVRAM, IO, reservation
Page status 163-(4 bit vector) specific page whether be:
The position 1- free time (page for not assigning to TD and not used by TDRM)
Position 2- assigns (page for assigning to TD or TDRM)
Position 3- blocks (page being blocked when it is in release/(again) assignment process)
Position 4- (dynamic page for assigning to TD but not yet being received by TD) co-pending
Page is assigned to specific unique TD by-TDID 164-(40) TD identifier.The address of TDCS.
In some implementations, 160 entry of MOT of extension can be supported, further include:
Page key ID 165-(8-size is to realize specifically) is specified expected and in the physical storage referred to by TD
The matched every page of encryption key of key ID that processor page obtains during traversing.If 160 entry of MOT is not extended entry,
Page key ID is exported from TDCS 124.One in key Id value specified in MOT can be used for shared with TDRM(or root VMM)
Memory content.Shared page can keep inputoutput buffer to be sent to the hardware device managed by TDRM.Similarly, altogether
Enjoying page can be used for emulating the virtual bench that TD is exposed to by TDRM.
Guest physical address 166-(52) specify the expection guest physical address used by the software executed in TD.
(when the expected execution memory of TDRM 180 remaps and realizes the ability of swapping memory, using this field).
Visitor permits 167- to assert (execution, reading and writing for user and management program) on final page.May exist
Multiple set of these permission bits are to support the VMM executed in TD.
It, can when enabling TDX in processor 112 (for example, via CR4 enable bit after enumerating based on CPUID)
To enable MOT 160.Once enabled MOT 160, can by processor 112 using MOT 160 come to by software (including TDRM
180) all physical memory access initiated enforce memory access control.In one implementation, it is carried out by software
Memory access page traversal during enforce access control.By processor 112 to do not assign to tenant TD 190A or
The physical memory access that the memory of TDRM 180 executes is failed with stopping page semanteme.
In the realization of the disclosure, TDRM 180 using have with the MOT operational order (TDMOTOP) for the leaf that gives an order via
MOT 160 manages memory resource:
Page is added to MOT(TDMOTADDPAGE)-will be corresponding to 160 targets of idle MOT of host-physical address (HPA)
It is denoted as the TD 190A for (exclusively) assigning to and being specified by TDID.Any other previous page status causes failure.This instruction force across
Thread TLB shoots down (shootdown) to confirm that no other TD 190A are just being cached to the mapping of this HPA.This instruction leaf can be by
TDRM 180 is called.If TDRM 180 has enabled the MOT extended, described instruction, which can specify, is mapped to specified HPA's
Initial guest physical address (GPA).Processor 112 is mapped by traversing the EPT structure managed by TDRM 180 to verify GPA
To HPA.The variant that addition page may be implemented, assigns to TD(TDMOTAUGPAGE for page) but the measurement of page is not captured.
Cancelling page (TDMOTREVOKEPAGE)-for specified page marker from MOT is free page.Cross-thread is forced in this instruction
TLB shoots down to confirm subsequent TD 190A access checking HPA ownership, and removes page content by processor 112.It is filled out in TLB
The TD 190A access of experience 160 page fault of MOT causes processor 112 to keep TDCS 124 invalid during filling, and which prevent in addition
TD enter TD 190A.This instruction leaf can be called by TDRM 180.
Blocking page (TDMOTBLOCKPAGE)-in MOT will correspond to 160 targets of MOT of the free time or assignment of HPA
It is denoted as to be blocked and be used for software.Any other previous page status causes 180 failure of TDRM.Cross-thread TLB is forced in this instruction
It shoots down to confirm subsequent TD 190A access checking HPA ownership.This instruction leaf can be called by TDRM 180.
Unlock page (TDMOTUNBLOCKPAGE)-in MOT marks 160 entry of MOT being blocked corresponding to HPA
It is effective to software use/assignment.Any other previous page status causes failure.This instruction leaf can be called by TDRM 180.
After TD software has removed any secret in memory, the memory for assigning to TD 190A can be via aobvious
Formula TDCALL returns to TDRM 180.The extended operation of MOT 160 is used for following situations, in which: (1) VMM in TD 190A can
Can remap the GPA used in TD, and/or (2) TDRM 180 may wish to the storage that exchange assigns to TD 190A
Device.In both above situation, 180 EPT of TDRM will be generated in violation of rules and regulations by the unmatched GPA used during page traverses.
The MOT instruction leaf extended below solves situation above:
PGA(TDMOTMODPMA in modification MOT)-in order to dispose the first situation above, TDRM 180 utilizes this extension
MOT 160 instructs to update 160 security attributes of MOT of the page as used in TD 190A.TDRM 180 provides GPA, by CPU
The EPT structure of TD VMM management is traversed using the GPA and retrieves the new GPA referred to by TD VMM.Then, processor 112
The traversal of 180 EPT of TDRM is executed to find referenced HPA, and if page is assigned to movable TD 190A, is updated
Expected GPA attribute is to match the unmatched GPA reported during out of order traversal.Then TDRM 180 can be opened again
Beginning TD 190A.
For the second situation above, TDRM 180 cancels mapping GPA from its EPT structure, and in failure, answers
When using MOT instruction in blocking page (TDMODBLOCKPAGE) come by the page marker be software it is unavailable (clear by dump
Except), and the MOT 160 of extension should be used to instruct: TDEXTRACT and TDINJECT creates the commutative version of cryptoguard
This page content can be restored for the HPA of new assignment.TDEXTRACT(and TDINJECT) instruction capture (and it is corresponding
Ground verifying) exchange TD page of the integrity information cryptographically signed, so as to recovery when verify them.Encrypted message can
To include counter to ensure that malice TDRM cannot reset outmoded page.
In one implementation, the initialization of TDRM 180 in processor 112 by enabling TDX(by being arranged for example
CR4.TDXE or during VMXON via VMX MSR control bit) and start.TDX support can be enumerated via CPUID.Once
Enabled TDX, TDRM 180 execute (that is, operation) enabled TDX mode instruction (TDXON) to enable the TDX mode of processor;Alternatively
Mode can be enabled the part for VMXON by ground.TDXON registers 4 KB memory areas of nature alignment, and logic processor makes
180 state region of TDRM is used for it.In one implementation, 180 state region of TDRM is stored in as TDRM state 185
In TDRM control structure (TDRCS) 182;TD-RCS also can be implemented as only exiting information comprising Host Status, control and TD
The VMCS of new type.In one implementation, TDCS and TD-TCS is via the accessed control of MOT 160 (for example, being stored in MOT
Encryption key ID in 160 is for enforcing memory access control).In a further implementation, TDCS and TD-TCS via
The accessed control of one or more storage devices limited in range registers (such as range registers 130) of processor 112,
It is inaccessible to softward interview.TDRM state 185 is discussed in further detail below.4KB pages for TDRCS 182
Physical address provided in the operand to TDXON.TDRM 180 makes this page can not to all TD 190A via MOT 160
Access.TDRM 180 should be initialized and be accessed TDRCS 185.TDRM 180 should be each logic processor and uses individually
TDRCS 185。
In one implementation, the example TDRM shape of upper load is initialized and exited by processor 112 in TD by TDRM 180
State 185 can include but is not limited to the following state described in following table 1:
Field | Description |
RIP | Linear address in TDRM address space starts in TD root mode on TD is exited wherein executing |
RSP | TDRM stack pointer (linear address) |
ES selector | Segment information |
CS selector | Segment information |
SS selector | Segment information |
DS selector | Segment information |
FS selector | Segment information |
GS selector | Segment information |
TR selector | Segment information |
FS base | Duan Ji |
GS base | Duan Ji |
TR base | Duan Ji |
GDTR base | Duan Ji |
IDTR base | Duan Ji |
CR0 | PG/NE/PE=1 is forced, CD/NW is ignored |
CR3 | Allow TDRM specified |
CR4 | Force VMXE/PAE=1 |
IA32_PAT | Allow TDRM specified |
Table 1: the processor state (64) loaded on TD is exited from TDRCS
The following processor state of automatic setting/fixation (therefore being specified not in TD-RCS) during TD is exited:
CR0, CR4(of -64 bit patterns may need additional CR4 mask value)
- DR7, erasing DRs: it removes: needing to consider PDR position influence
- IA32_DEBUGCTL, IA32_PERF_GLOBAL_CTRL, IA32_PAT, IA32_BNDCFGS
- IA32_EFER(ensures 64 bit patterns)
Segment register (base limitation access): it is exited with VM identical
- RFLAGS: with VM exit it is identical-be arranged to 0x2
- LDTR: identical-null value is exited with VM
Remove following processor state (therefore specifying not in TD-RCS) automatically during TD is exited:
- IA32_SYSENTER_CS / EIP / ESP
- IA32_KERNEL_GS_BASE
- IA32_STAR / FMASK / LSTAR
- GPR(is in addition to RSP)
- XSAVE state
Extended mode (x87/SSE, CET etc.)-can be considered optional and other conds
TD-RCS also keeps control field and exits message structure (for reporting that TD exits information), as provided in following table 2
:
Field | Description |
MSR access control bitmap address | Keep 4KB pages of 64 physical address of MSR access control bitmap |
XSAVES access control bitmap | 64 XSAVES access control bitmaps |
Extend page table pointers | 64 EPTP |
TD pre-empted timer | 64 TD pre-empted timers |
TD-TCS slot Id | Specific TD-TCS is linked to by this TD-RCS for the TD duration entered |
Table 2:TD-RCS structure
The table 3 being outlined below, which details in TD-RCS, exits information field:
Field | Description |
TDEXIT_REASON | 64 place values (n effectively, and 64-n reserved).Referring to the table below with reference to value |
TDEXIT_QUAL | Referring to following table |
Table 3:TD-RCS exits information field
In one implementation, TD 190A can be created and be started by TDRM 180.TDRM 180 uses TD creation instruction
(TDCREATE and TDTCREATE) creates TD 190A.TDRM 180 select physical storage 4KB aligned region, and by this
It is provided as the parameter of TD creation instruction.This memory area is used as the TDCS 124 of TD 190A.When implemented,
TDCREATE instruction with making 112 verifying purpose of processor 4KB page be assigned to TD(use MOT 160).TDCREATE instruction is also
So that processor 112 is generated the of short duration memory encryption key and key ID of TD 190A, and key ID is stored in TDCS 124
In.Then, processor 112 uses the page content on the encryption key initialization destination page for assigning to TD.In one implementation,
Initialization page content includes initiating the TD state of TD, this is further described relative to TDTCS 128 below.Then TDCREATE
Instruction makes the initialization of processor 112 for the hash of the TD measurement in TDCS 124.
In one implementation, TDRM 180 is instructed (discussed above) for TD 190A setting IBB using TDADDPAGE
Code/data, described instruction specify the address (as parameter) of TDCS page 124 of (TD 190A's), TD in TDRM address space
The address of the code/data page of image, and assign to the Physical Page of TD 190A.Then, 112 verifying purpose of processor ground 4KB
Page is assigned to TD 190A.Once being verified, processor 112 extends the hash for TD 190A in TDCS 124.Then,
Page content is copied to destination page from source using the unique-encryption key for assigning to TD 190A by processor.
TDRM 180 provides TD boot configuration via the data page for mapping (and identity page table) comprising physical storage.
TDRM 180 initializes physical storage, and processor 112 verifies page and is assigned to TD 190A and identifies page table.Then,
TDRM 180 completes the measurement of TD 190A using TDINIT instruction.Then, TDRM 180 can be used TDENTER instruction and open
Beginning executes TD 180(, and this uses TDTCS 128, as described further below).
Referring now to TDCS 124, the specified control that processor 112 initializes when successfully creating TD 190A of this control structure
System.As enabled TD 190A, TDCS 124 can be used.In one implementation, TDCS occupies the memory area that 4K is aligned naturally.
After successful execution TDCREATE instruction, the page that TDCS 124 is identified as in MOT 160 is blocked software read/write.One
In a realization, TDCS 124 is via the accessed control of MOT 160 (for example, as described above, in the page time of processor 112
The software read/write of unauthorized is prevented during going through using the key ID of the assignment for the TDCS 124 being stored in MOT 160).?
In another realization, TDCS 124 is accessed via one or more storage devices limited in range registers of processor 112
Control, it is inaccessible to softward interview.TDCS 124 can include but is not limited to the following field described in following table 4:
Field | Size (byte) | Description |
REVISION | 4 | Correct identifier 126 |
TDID | 8 (40 effectively, remaining is reserved) | TD identifier 190A |
COUNT_TCS | 4 (16 effectively, remaining is reserved) | With the quantity of the associated TD-TCS 142 of this TDCS |
COUNT_BUSY_TCS | 4 (16 effectively, remaining is reserved) | With the quantity of the associated busy TD-TCS of this TDCS |
KID_ENTRY_0* | 8 (8 effectively, remaining is reserved) | The of short duration key Id* of the key of TD 190A is assigned to during TDCREATE |
KID_ENTRY_1 | 8 (8 effectively, remaining is reserved) | The key Id 1 of TD is assigned to during TDCREATE.TD can assign key via PCONFIG. |
KID_ENTRY_2 | 8 (8 effectively, remaining is reserved) | The key Id 2 of TD is assigned to during TDCREATE.TD can assign key via PCONFIG. |
KID_ENTRY_3 | 8 (8 effectively, remaining is reserved) | The key Id 3 of TD is assigned to during TDCREATE.TD can assign key via PCONFIG. |
ATTRIBUTES | 16 (referring to following tables) | The attribute of inter-trust domain |
MRTD | 48 | The SHA-384 measurement 138 of the initial content of TD |
RESERVED | 16 (must be 0) | It is reserved to rise to the MREG of SHA512 |
MRSWID | 48 | The software definition identifier of additional logic for being loaded after initial construction |
MRCONFIGID | 48 | For adding the software definition identifier of TD SW configuration |
MROWNER | 48 | The software definition identifier of the owner for VM |
MROWNERCONFIG | 48 | Software definition identifier for the additional image configuration from the owner |
XCR0 | 8 | The initial value of XCR0 |
OWNERID | 8 | Owner ID |
MRTDBLOCKS | 4 | Update the quantity of the block in MRTD.(only needing pre--TDINIT) |
COUNT_TCS_MAX | The maximum quantity of the specified logic processor that can assign to this TD of maximum value.(maximum possible 4095). | |
RESERVED | Reserved (other TD metadata) 143 |
Table 4:TDCS structure
TDCS.ATTRIBUTES field has the following bit architecture described in following table 5:
Table 5:TDCS.ATTRIBUTES field bit architecture
TD 190A can request TDRM 180 that N number of logic processor (CPU) is assigned to TD 190A.For each request
CPU, TDRM 180 uses TDADDPAGE(parameter<op, TDCS, TD CPU index, HPA>) it is added to TD for TDTCS page 128
In 190A.112 verifying purpose of processor 4KB pages be assigned to TD 190A.Processor 112 updates in TDCS 124
TCSList [index] 142 is to be used for TD 190A.TDTCS 128 can be reversed with reference to his father TDCS 124(its
It is specified in TDADDPAGE order parameter).
TDRM 180 uses TDTCS 128(parameter<TDCS of TDENTER, CPU index>) into TD 190A.This swashs
Lived the TDCS 124 of TDTCS 128(and reference).TDENTER instruction checking TDTCS 128 is not yet movable.?
On TDENTER, processor 112 activates TD 190A key ID to enforce by page miss disposer (PMH)/TLB.So
Afterwards, processor 112 since TDTCS 128 load TD state and TD 190A execute.
TDTCS 128 keeps assigning to the execution state of the logic processor of TD 190A.If when processor 112 is in
TD exit criteria occurs when TD tenant's mode, then TD, which is exited, is stored in the execution state of tenant in TDTCS 128.In a reality
In existing, TDTCS 128 is via the accessed control of MOT 160 (for example, as described above, page of the key ID in processor 112
The software read/write to prevent unauthorized is used during traversal).In a further implementation, TDTCS 128 is via the one of processor 112
A or multiple accessed controls of the storage device limited in range registers, it is inaccessible to softward interview.
If TD occurs when processor 112 just operates in the context of the non-root VMM in TD 190A to exit, TD
Exit and go to TD VMM(for example, TD VMM 222) VM exit (for example, the VM of Fig. 2 B exits 280) (not yet report), will
Tenant's VMM state is stored in TDTCS 128, and is executed TD and exited (handover key id is enforced).It is called by TDRM 180
Subsequent TDENTER execute key ID enforce switching, out of TDTCS 128(TD 190A) restore tenant's state, so as to weigh
It is new to start tenant VMM or OS.Correspondingly, if processor 112 is just being grasped in the context of non-root VMM during previous TD is exited
Make, then TD enters exits (in TD entry) to tenant VMM report VM.
As discussed above, TDTCS 128 keeps the execution state of TD 190A.The execution state of TD 190A is stored in
In TDTCS 128.TDTCS can be nand architecture, and following table 6 can be kept to the field being described in detail in 9:
Field | Description |
STATE | The execution state of TD virtual processor.Value 0 indicates that this TD-TCS is available to TDENTER.Value 1 indicates that TD-TCS is movable (this currently used TD-TCS executes TD) on logic processor. |
TDCS | Link back to " father " TDCS (64b HPA) |
FLAGS | TD-TCS executes mark (referring to following table X) |
TD_STATE_S | TD state corresponding to supervisor mode.Referring to following table. |
TD_STATE_U | TD state corresponding to User Status.Referring to following table. |
Table 6:TDTCS field
Field | Position position | Description |
DEBUG | 0 | The selectivity of debugging TD-TCS enters mark |
RESERVED | 63:1 | NA |
Table 7:TDTCS executes mark
Field | Description |
CR0 | By the original state-of TDCREATE setting with back loading application mask |
CR2 | It is loaded as saving, is initialized to 0 |
CR3 | It is loaded as saving, be initialized by TD OS |
CR4 | By TDCREATE setting original state-, then mask is applied in load |
DR0 | It is loaded as saving, initialization is removed |
DR1 | It is loaded as saving, initialization is removed |
DR2 | It is loaded as saving, initialization is removed |
DR3 | It is loaded as saving, initialization is removed |
DR6 | It is loaded as saving, initialization is removed |
DR7 | It is loaded as saving, is initialized to disabling debugging |
IA32_SYSENTER_CS | It is loaded as saving, be initialized by TD OS |
IA32_SYSENTER_ESP | It is loaded as saving, be initialized by TD OS |
IA32_SYSENTER_EIP | It is loaded as saving, be initialized by TD OS |
SYSCALL MSRs | It is loaded as saving, be initialized by TD OS |
IA32_EFER | It is loaded as saving, be initialized by TD OS |
IA32_PAT | It is loaded as saving, be initialized by TD OS |
IA32_BNDCFGS | It is loaded as saving, be initialized by TD OS |
ES segment information | Selector, base, limitation, AR byte |
CS segment information | Selector, base, limitation, AR byte |
SS segment information | Selector, base, limitation, AR byte |
DS segment information | Selector, base, limitation, AR byte |
FS segment information | Selector, base, limitation, AR byte |
GS segment information | Selector, base, limitation, AR byte |
LDTR segment information | Selector, base, limitation, AR byte |
TR segment information | Selector, base, limitation, AR byte |
GDTR base | It is loaded as saving, be initialized by TD OS |
GDTR limitation | It is loaded as saving, be initialized by TD OS |
IDTR base | It is loaded as saving, be initialized by TD OS |
IDTR limitation | It is loaded as saving, be initialized by TD OS |
RIP | It is loaded as saving, be initialized by TDCREATE for IBB |
RSP | It is loaded as saving, be initialized by TDCREATE for IBB |
RFLAGS | It is loaded as saving, be initialized by TDCREATE for IBB |
PDPTEs* (32 PAE) | It is loaded as saving, be initialized by TD OS |
IA32_XSS | It is loaded as saving, be initialized by TD OS |
XCR0 | It is loaded as saving, be initialized by TD OS |
Kernel_GS_BASE | It is loaded as saving, be initialized by TD OS |
TSC_AUX | It is loaded as saving, be initialized by TD OS |
Table 8:TDTCS management program executes state
Field | Description |
RAX | It is loaded as saving, be initialized by TD OS |
RBX | It is loaded as saving, be initialized by TD OS |
RCX | It is loaded as saving, be initialized by TD OS |
RDX | It is loaded as saving, be initialized by TD OS |
RBP | It is loaded as saving, be initialized by TD OS |
RSI | It is loaded as saving, be initialized by TD OS |
RDI | It is loaded as saving, be initialized by TD OS |
R8 | It is loaded as saving, be initialized by TD OS |
R9 | It is loaded as saving, be initialized by TD OS |
R10 | It is loaded as saving, be initialized by TD OS |
R11 | It is loaded as saving, be initialized by TD OS |
R12 | It is loaded as saving, be initialized by TD OS |
R13 | It is loaded as saving, be initialized by TD OS |
R14 | It is loaded as saving, be initialized by TD OS |
R15 | It is loaded as saving, be initialized by TD OS |
XSAVE state | It is loaded as saving, be initialized by TD OS |
Table 9:TDTCS added field
In one implementation, TD 190A can be destroyed by TDRM 180.TDRM 180 using TD destroy instruction (TDDESTROY and
TDTDESTROY) TD 190A is destroyed.All memories that CPU verifying assigns to TD have all been revoked, and all TD-TCS
It is destroyed before it allows TDCS destroyed.
Fig. 4 is the stream for the exemplary method 400 for providing isolation in virtualization system using TD realized according to one
Cheng Tu.Method 400 can be executed by processing logic, and processing logic may include hardware (for example, circuit, special logic, programmable
Logic, microcode etc.), software (operation such as executed by MCU), firmware or combinations thereof.In one implementation, method 400 by
The processing unit 112 of Figure 1A or Figure 1B executes.In a further implementation, method 400 is by any processing unit for describing with regard to Fig. 7-12
It executes.Alternatively, other components (or the software executed in processing unit 112) of computing system 100 can execute method 400
Some or all operation.
With reference to Fig. 4, executed when processing logic executes TDRM with managing TD described in the TD(including VM by processing unit) Shi Fang
Method 400 starts in frame 410.In frame 420, handle logic and maintain TDCS, with for manage the TD executed by processing logic or its
The global metadata of one or more of its TD.Then, in frame 430, the execution shape that logic maintains TD in TD-TCS is handled
State, the TD-TCS is for the softward interview quilt for coming TDRM, VMM or at least one of other TD that free processing unit executes
Access control.
Then, in frame 440, handle reference logic MOT with obtain correspond to assign to the encryption key of TD at least one
Key ID.In one implementation, key ID allows to execute in the context of TD in response to processing unit and assign to TD's
The processing logical machine of storage page, which is payed a secret visit, asks, wherein the storage page for assigning to TD passes through encryption keys.Finally, in frame
450, reference logic MOT is handled to obtain the guest physical address for corresponding to the host-physical memory page for assigning to TD.One
In a realization, the matching of the guest physical address obtained from MOT and the guest physical address accessed allows in response to processing
Device executes in the context of TD and assigns to the processing unit access of the storage page of TD.
Fig. 5 be according to one realize for execution showing of exiting of TD when providing isolation in virtualization system using TD
The flow chart of example method 500.Method 500 can be executed by processing logic, processing logic may include hardware (for example, circuit, specially
With logic, programmable logic, microcode etc.), software (operation such as executed by MCU), firmware or combinations thereof.It is realized at one
In, method 500 is executed by the processing unit 112 of Figure 1A or Figure 1B.In a further implementation, method 500 is by describing with regard to Fig. 7-12
Any processing unit executes.Alternatively, other components (or the software executed in processing unit 112) of computing system 100 can
To execute some or all operations of method 500.
With reference to Fig. 5, when processing logic identification TD exits event, method 500 starts in frame 510.In one implementation,
TDRM is just managing the TD that event correlation is exited with TD, wherein handling logic just in the context of TD when identifying that TD exits event
Middle execution.
In frame 520, event is exited in response to identification TD, processing logic utilizes the first encryption key for corresponding to and assigning to TD
First key identifier (ID) Lai Baocun TD management program execute the user of state and TD and execute state and arrive TD- corresponding to TD
In TCS.In one implementation, execution state is encrypted by the first encryption key, wherein TDCS, which is directed to, carrys out unrestrained section
The accessed control of the softward interview of TDRM, VMM or at least one of other TD that device executes.
Then, it in frame 530, handles logic and is revised as corresponding to from first key ID by the key ID state of processing unit
The second key ID of at least one of TDRM or VMM.Finally, processing logic load TDRM is executed and state of a control in frame 540
Information is exited so that processing unit operates in the context of TDRM with TDRM.
Fig. 6 be according to one realize for when providing isolation in virtualization system using TD execute TD entrance show
The flow chart of example method 600.Method 600 can be executed by processing logic, processing logic may include hardware (for example, circuit, specially
With logic, programmable logic, microcode etc.), software (operation such as executed by MCU), firmware or combinations thereof.It is realized at one
In, method 600 is executed by the processing unit 112 of Figure 1A or Figure 1B.In a further implementation, method 600 is by describing with regard to Fig. 7-12
Any processing unit executes.Alternatively, other components (or the software executed in processing unit 112) of computing system 100 can
To execute some or all operations of method 600.
With reference to Fig. 6, when handling logic and being executed in the context of TDRM processing unit identify TD entry event when
Time method 600 starts in frame 610.In one implementation, processing logic executes the TDRM to manage TD.
In frame 620, in response to identifying that TD entry event, processing logic utilize close corresponding to the first encryption for assigning to TDRM
TDRM state of a control of the first key ID of key from the TDRCS load TDRM corresponding to TDRM.In one implementation, pass through first
Encryption key encrypts execution state.In addition, TDRCS can be for the TD or other TD for carrying out free processing unit execution
At least one of the accessed control of softward interview.
Then, it in frame 630, handles logic and is revised as the key ID state of processing unit from first key ID to correspond to finger
It is fitted on the second key ID of the second encryption key of TD.Finally, in frame 640, management journey of the processing logic from TD-TCS load TD
Sequence executes state and TD user executes state, so that processing unit operates in the context of TD.In one implementation, TD-TCS
For the accessed control of softward interview for coming TDRM or at least one of other TD that free processing unit executes.
Fig. 7 A is to show the performance according at least one monitoring processing unit realized of the disclosure to use inter-trust domain to exist
Ordered assembly line and the register renaming stage, unordered publication/execution flowing water of the processor of isolation are provided in virtualization system
The block diagram of line.Fig. 7 B is to show the unordered publication/execution to be included in the processor realized according at least one of the disclosure
The block diagram of logic, register renaming logic and ordered architecture core.Solid box in Fig. 7 A shows ordered assembly line, and dotted line frame
Register renaming, unordered publication/execution pipeline are shown.Similarly, the solid box in Fig. 7 B shows ordered architecture logic, and
Dotted line frame shows register renaming and unordered publication/execution logic.
In fig. 7, processor pipeline 700 include the acquisition stage 702, the length decoder stage 704, decoding stage 706,
Allocated phase 708, the renaming stage 710, scheduling phase 712 (is also referred to as assigned or is issued) in scheduling, register reading/memory is read
Stage 714, execution stage 716 write back/memory write phase 718, abnormal disposition stage 722 and presentation stage 724.Some
In realization, be provided in a different order the stage and can orderly and unordered consideration different phase.
In figure 7b, arrow indicates the coupling between two or more units, and the direction instruction of arrow is at that
The direction of data flow between a little units.Fig. 7 B shows processor core (core) 790, including being coupled to enforcement engine unit 750
Front end unit 730, and the two is coupled to memory cell 770.
Core 790 can be reduced instruction set computing (RISC) core, complex instruction set calculation (CISC) core, very long instruction word
(VLIM) core or mixing or alternative core type.As another option, core 790 can be specific core, such as, such as network or communication
Core, compression engine, graphics core etc..
Front end unit 730 includes the inch prediction unit 732 for being coupled to Instruction Cache Unit 734, and instruction cache is slow
Memory cell 734 is coupled to instruction morphing look-aside buffer (TLB) 736, TLB 736 and is coupled to instruction acquisition unit 738, coupling
Close decoding unit 740.Decoding unit or decoder can be by instruction decodings, and generate the micro- behaviour of one or more as output
Work, microcode entry point, microcommand, other instructions or other control signals, they are decoded from presumptive instruction or they are with it
Its mode reflects presumptive instruction or derives from presumptive instruction.Various different mechanisms can be used to realize for decoder.Suitable mechanism
Example include but is not limited to look-up table, hardware realization, programmable logic array (PLA), microcode read only memory (ROM)
Deng.Instruction Cache Unit 734 is additionally coupled to 2 grades of (L2) cache elements 776 in memory cell 770.Decoding is single
Member 740 is coupled to renaming/dispenser unit 752 in enforcement engine unit 750.
Enforcement engine unit 750 includes being coupled to the set of retirement unit 754 and one or more dispatcher units 756
Renaming/dispenser unit 752.One or more dispatcher units 756 indicate any amount of different schedulers, including reserved
It stands, central command window etc..One or more dispatcher units 756 are coupled to one or more physical register file units 758.
Each expression one or more physical register file of one or more physical register file units 758, different deposits therein
Device heap stores one or more different types of data, and (such as scalar integer, scalar floating-point, packing integer, packing floating-point, vector are whole
Number, vector floating-point, etc.), state (for example, instruction pointer of the address as the next instruction to be executed) etc..It is one or more
Physical register file unit 758 is overlapped to show and can wherein realize register renaming and execute out by retirement unit 754
Various modes are (for example, use one or more resequence buffers and one or more resignation register files;Using one or
Multiple heaps in future, one or more historic buffers and one or more resignation register files;Use register mappings and deposit
Device pond etc.).
Generally, architectural registers from being outside processor or for the angle of programmer (programmer)
's.Register is not limited to the circuit of any known concrete type.Various types of register is suitable (as long as their energy
It is enough to store and provide data as described in this article).Be suitble to register example include but is not limited to dedicated physical register,
Physical register, combination that is dedicated and dynamically distributing physical register etc. are dynamically distributed using register renaming.Resignation is single
Member 754 and one or more physical register file units 758 are coupled to one or more execution clusters 760.One or more is held
Row cluster 760 includes the set of one or more execution units 762 and the set of one or more memory access units 764.
Various operations (for example, displacement, addition, subtraction, multiplication) can be performed in execution unit 762, and to various types of data (examples
Such as, scalar floating-point, packing integer, packing floating-point, vectorial integer, vector floating-point) it executes.
Although some realizations may include the multiple execution units for being exclusively used in the set of specific function or function, other realizations
It may include an execution unit or all execute the functional multiple execution units of institute.One or more dispatcher units 756, one
A or multiple physical register file units 758 and it is one or more execute clusters 760 and be shown as may be it is multiple, because of certain realities
Now individual assembly line is created (for example, scalar integer assembly line, scalar floating-point/packing are whole for certain form of data/operation
Number/packing floating-point/vectorial integer/vector floating-point assembly line and/or pipeline memory accesses, respectively have the tune of their own
Spend device unit, one or more physical register file units and/or execution cluster-and in individual memory access flowing water
In the case where line, the certain realities for executing cluster and there are one or more memory access units 764 of wherein this assembly line are realized
It is existing.It will also be appreciated that using independent assembly line, one or more of these assembly lines can be unordered publication/
It executes, and remaining is ordered into.
The set of memory access unit 764 is coupled to memory cell 770 comprising it is single to be coupled to data high-speed caching
The data TLB unit 772 of member 774, data cache unit 774 are coupled to 2 grades of (L2) cache elements 776.At one
During demonstration is realized, memory access unit 764 may include load unit, storage address unit and data storage unit, in them
Each of be coupled to data TLB unit 772 in memory cell 770.L2 cache element 776 is coupled to one or more
Other grades of cache, and it is eventually coupled to main memory.
By example, demonstrate register renaming, unordered publication/execution core framework can realize the assembly line of Fig. 7 A as follows
700:1) instruction obtains 738 and executes acquisition stage 702 and length decoder stage 704 respectively;2) decoding unit 740 executes decoding rank
Section 706;3) renaming/dispenser unit 752 executes allocated phase 708 and renaming stage 710;4) one or more scheduling
Device unit 756 executes scheduling phase 712;5) one or more physical register file units 758 and memory cell 770 execute
Register reading/memory read phase 714;It executes cluster 760 and executes the execution stage 716;6) memory cell 770 and one or more
A execution of physical register file unit 758 writes back/memory write phase 718;7) various units can be related to the abnormal disposition stage
722;8) retirement unit 754 and one or more physical register file units 758 execute presentation stage 724.
Core 790 can support one or more instruction set (for example, (it has closely with the addition of more new version x86 instruction set
Some extensions), the MIPS instruction set of the MIPS Technologies of California Sunnyvale, California
The ARM instruction set (it is with additional extension such as NEON) of the ARM Holdings of Sunnyvale).
It should be understood that core can support multithreading (executing two or more parallel operations or sets of threads) and
It can do so in many ways, including (wherein, single physical core, which provides, is used for object for time slicing multithreading, simultaneous multi-threading
Reason core carries out the Logic Core of the per thread of multithreading at the same time) or combinations thereof (such as such as in Intel®In Hyper-Threading
Time slicing obtain and decoding and hereafter while multithreading).
Although register renaming describes in the context executed out-of-order, it will be appreciated that, it can be in an orderly architecture
Use register renaming.Although the shown realization of processor also includes individual instruction and data cache element 734/
774 and shared L2 cache element 776, but alternative realizations can have such as 1 grade (L1) internally cached to be used for
Both instruction and datas it is single internally cached or multistage internally cached.In some implementations, system may include
The combination of External Cache internally cached and outside core and/or processor.Alternatively, all caches can be in core
The outside of processor and/or.
Fig. 8 show according to one realize include that the processing of the logic circuit of isolation is provided in virtualization system using inter-trust domain
The block diagram of the micro-architecture of device 800.In some implementations, it can be achieved that instructing, to sizes such as byte, word, double word, four words
And the data element of the data type of such as single and double precision integer and floating type is operated.It is realized at one
In, orderly front end 801 is a part of processing unit 800, obtains the instruction to be executed, and prepare them to be later used in
In processing unit assembly line.The realization for providing isolation in virtualization system using inter-trust domain can be real in processing unit 800
It is existing.
Front end 801 may include several units.In one implementation, the acquisition instruction from memory of pre-acquiring device 816 is instructed,
And instruction is fed to instruction decoder 818, these instructions are decoded or explained again.For example, in one implementation, decoder will
One or more for being known as " microcommand " or " microoperation " (also referred to as micro- op or uop) that received instruction decoding can be performed at machine
A operation.In other implementations, instruction is parsed into operation code and corresponding data and control field by decoder, they are by micro-
Framework is used to execute the operation realized according to one.In one implementation, tracking (trace) cache 830 takes out decoding
Uop and be assembled into uop queue 834 program sequence sequence or tracking to be used to execute.Work as trace cache
830 when encountering complicated order, microcode ROM 832 is provided complete the operation needed for uop.
Some instructions can be converted into single micro--op, and other instructions need several micro--op to complete all operationss.?
It in one realization, completes to instruct if necessary to more than four micro--op, then decoder 818 accesses microcode ROM 832 to carry out
Instruction.One is realized, instruction can be decoded into micro--op of smallest number, in the processing of instruction decoder 818.Another
In one realization, instruction can be stored in microcode ROM 832, if completing operation if necessary to multiple micro--op.Tracking is high
Speed 830 fingering access point programmable logic arrays (PLA) of caching, with the correct microcommand pointer of determination, for reading microcode sequence
Column, to complete the one or more instructions realized according to one from microcode ROM 832.It is completed in microcode ROM 832
After micro--op of ordering instruction, the front end 801 of machine restarts to obtain micro--op from trace cache 830.
Executing out engine 803 is preparation instruction with the place for execution.Order execution logic has multiple buffers,
With instruction along assembly line downwards and be scheduled for execute when, smoothing processing and rearrangement instruction stream with optimization property
Energy.Dispatcher logic distributes each uop needs so as to the machine buffer and resource of execution.Register renaming logic is by logic
Register renaming is in the entry into register file.It is (memory scheduler, fast scheduler 802, slow in instruction scheduler
Speed/general floating point scheduler 804 and simple floating point scheduler 806) front, distributor is also that (one for depositing for two uop queues
Reservoir operation, and one for non-memory operate) one of in each uop distribute entry.Uop scheduler 802,804,
806 are needed based on the preparation in its correlated inputs register operand source and uop to complete the available of the execution resource of its operation
Property, determine when uop is ready to execute.The fast scheduler 802 of one realization can be in the every half period of master clock cycle
It is scheduled, and other schedulers can only be dispatched once every primary processing unit clock cycle.Scheduler is carried out for assigning port
Ruling is to dispatch uop for executing.
Register file 808,810 be located at execution unit 812 in scheduler 802,804,806 and perfoming block 811,814,
816, between 818,810,812,814.Independent register file 808,810 is respectively present for integer and floating-point operation.One reality
Existing each register file 808,810 further includes bypass network, can bypass or forward not yet write-in deposit to new related uop
The result just completed in device heap.Integer register file 808 and flating point register heap 810 also can mutually transmit data.It is right
It is realized in one, integer register file 808 is divided into two individual register files, and a register file is used for the low order of data
32, and the second register file is used for high-order 32 of data.The flating point register heap 810 of one realization has 128 bit wides
Entry, because of the operand that floating point instruction typically has on width from 64 to 128.
Perfoming block 811 include execution unit 812,814,816,818,810,812,814(actually executes instruction wherein).
This part includes the register file 808,810 of storage integer and floating-point data operation value (microcommand needs it to execute).One
The processing unit 800 of a realization includes multiple execution units: scalar/vector (AGU) 812, AGU 814, quick ALU
816, quick ALU 818, at a slow speed ALU 810, floating-point ALU 812, floating-point mobile unit 814.One is realized, floating-point executes
Block 812,814, execute floating-point, MMX, SIMD and SSE or other operations.One realization floating-point ALU 812 include 64 ×
64 Floating-point dividers are to execute division, square root and the micro--op of remainder.Realization for the disclosure is related to the instruction of floating point values
It can be disposed by floating point hardware.
In one implementation, ALU operation can go to high speed ALU execution unit 816,818.The quick ALU of one realization
816,818 fast operating can be executed by effective time delay of clock cycle half.One is realized, most complicated integer behaviour
810 ALU at a slow speed are gone to, because ALU 810 includes the integer execution hardware for long delay type operations at a slow speed, are such as multiplied
Musical instruments used in a Buddhist or Taoist mass, displacement, mark logic and branch process.Memory load/store operations are executed by AGU 812,814.For a reality
Existing, integer ALU 816,818,810 is in the described in the text up and down that 64 data operands are executed with integer operation.In alternative realizations
In, it can be achieved that ALU 816,818,810 to support various data bit, including 16,32,128,256 etc..It is similarly, it can be achieved that floating
Dot element 812,814 is to support the sequence of operations number with various width bits.One is realized, floating point unit 812,814
128 bit wide packaged data operands are operated in combination with SIMD and multimedia instruction.
In one implementation, loaded before (parent load) completed execution in father, uop scheduler 802,804,
806 assign relevant operation.When speculatively dispatching in processing unit 800 and executing uop, processing unit 800 further includes place
Set the logic of memory miss.If data load miss in data high-speed caching, execution may be present in assembly line
In (in flight) relevant operation, leave temporary incorrect data for scheduler.Replay mechanism is tracked and is re-executed
Use the instruction of incorrect data.It needs to reset only relevant operation, and allows to complete independent operation.One reality of processing unit
Existing scheduler and replay mechanism is also designed to capture the instruction sequence for being used for text character string comparison operation.
Processing unit 800 further include according to one realize the logic of isolation is provided in virtualization system using inter-trust domain
Processing unit 800.In one implementation, the perfoming block 811 of processing unit 800 may include TDRM 180, MOT 160,
TDCS 124 and TDTCS 128 in virtualization system to provide isolation using inter-trust domain according to description herein.
Term " register " can refer to can be used as identifying processing unit storage location on the plate of the part of the instruction of operand.It changes
Yan Zhi, register can be those workable registers except processing unit (for the angle of programmer).However, real
Existing register should be not limited to the circuit of concrete type in the sense.On the contrary, realize register can storing data and
Data are provided, and execute functions described in this article.Any amount of different technologies can be used in register described herein
It is realized by the circuit in processing unit, such as dedicated physical register is deposited using the dynamic allocation physics of register renaming
Device, combination that is dedicated and dynamically distributing physical register etc..In one implementation, integer registers store 32 integer datas.
The register file of one realization also includes 8 multimedia SIM D registers for packaged data.
Register, is interpreted as being designed to keeping the data register of packaged data by the discussion for this paper, such as from
64 in the micro treatmenting device of the Intel Corporation of California Santa Clara enabled by MMX technology
Bit wide MMX register (is also referred to as " mm " register) in some instances.In both integer and relocatable it is available this
A little MMX registers can operate together with the packaged data element instructed with SIMD and SSE.Similarly, with SSE2, SSE3,
The related 128 bit wide XMM register of SSE4 or more highest version (commonly referred to as " SSEx ") technology can also be used for keeping such packing
Data operand.In one implementation, in storage packaged data and integer data, register is not needed in two kinds of data types
Between distinguish.In one implementation, integer and floating-point or be included in identical register file or be included in different registers heap in.This
Outside, in one implementation, floating-point and integer data are storable in different registers or identical register.
Realizing can realize in many different system types.It is filled referring now to Figure 9, showing according to the multiprocessing of realization
Set the block diagram of system 900.As shown in Figure 9, multiprocessing apparatus system 900 is point-to-point interconnection system, and including via
The first processing unit 970 and second processing device 980 that point-to-point interconnection 950 couples.As shown in Figure 9, processing unit 970
It can be multicore processing unit, including the first and second processing unit core (not shown) with each of 980, although filling in processing
Potentially there may be many more cores in setting.According to the realization of the disclosure, processing unit respectively may include that mould is write in mixing
Formula logic.There is provided in virtualization system using inter-trust domain isolation realization can processing unit 970, processing unit 980 or
It is realized in the two.
Although showing tool, there are two processing units 970,980, it is understood that the scope of the present disclosure is not so limited.?
In other realizations, one or more additional handling devices may be present in given processing unit.
The processing unit 970 and 980 for respectively including integrated memory controller unit 972 and 982 is shown.Processing unit
970 further include part of point-to-point (P-P) interface 976 and 978 as its bus control unit unit;Similarly, second processing fills
Setting 980 includes P-P interface 986 and 988.Processing unit 970,980 can use P-P interface electricity via point-to-point (P-P) interface 950
Road 978,988 exchanges information.As shown in Figure 9, processing unit is coupled to respective memory by IMC 972 and 982, that is, is stored
Device 932 and memory 934, can be the part for being locally attached to the main memory of respective handling device.
Processing unit 970,980 can respectively via independent P-P interface 952,954 using point-to-point interface circuit 976,994,
986,998 information is exchanged with chipset 990.Chipset 990 can also be via high performance graphics interface 939 and high performance graphics circuit
938 exchange information.
Shared cache (not shown) can be included in any processing unit or two processing units outside, still via P-
P interconnection is connect with processing unit, so that the local cache information of either one or two processing unit can be stored in shared height
In speed caching (if processing unit is placed in low-power mode).
Chipset 990 can be coupled to the first bus 916 via interface 996.In one implementation, the first bus 916 can be with
It is that peripheral component interconnects (PCI) bus, or bus or another third generation I/O interconnection bus of such as PCI Express bus,
Although the scope of the present disclosure is not so limited.
As shown in Figure 9, various I/O devices 914 can be coupled to the first bus 916, couple together with by the first bus 916
To the bus bridge 918 of the second bus 920.In one implementation, the second bus 920 can be low pin number (LPC) bus.It is various
Device can be coupled to the second bus 920, all for example including keyboard and/or mouse 922, communication device 927 and storage unit 928
It such as disk drive or in one implementation may include other mass storage devices of instructions/code and data 930.In addition, sound
Frequency I/O 924 can be coupled to the second bus 920.It is noted that other frameworks are possible.For example, instead of the point-to-point frame of Fig. 9
Structure, system can realize multi-point bus or other such frameworks.
Referring now to Figure 10, showing the block diagram of the third system 1000 according to the realization of the disclosure.In Fig. 9 and Figure 10
Similar element has similar appended drawing reference, and Fig. 9's in some terms, to avoid making figure has been omitted from Figure 10
10 other aspects are fuzzy.
Figure 10, which shows processing unit 970,980, can respectively include integrated memory and I/O control logic (" CL ") 972 Hes
982.For at least one realization, CL 972,982 may include integrated memory controller unit (all as described herein).
In addition, CL 972,982 may also comprise I/O control logic.Fig. 9 shows memory 932,934 and is coupled to CL 972,982, with
And I/O device 1014 is also coupled to control logic 972,982.It leaves I/O device 1015 and is coupled to chipset 990.Using credible
The realization that domain provides isolation in virtualization system can be realized in processing unit 970, processing unit 980 or both.
Figure 11 is example system on chip (SoC), may include one or more of core 1102.For calculating on knee
Machine, desktop PC, Hand held PC, personal digital assistant, engineering work station, server, network equipment, network backbone, exchange
Machine, embedded processing device, digital signal processing device (DSP), graphics device, video game apparatus, set-top box, microcontroller
Other system designs known in the art of device, mobile phone, portable media player, hand-held device and various other electronic devices
It is also to be suitble to configuration.In general, in conjunction with processing unit as disclosed herein and/or other the various each of logic can be executed
Sample system or electronic device are usually to be suitble to.
Referring now to Figure 11, showing the block diagram of the SoC 1100 according to the realization of the disclosure.In addition, dotted line frame is higher
Feature on grade SoC.In Figure 11, one or more interconnecting units 1102 are coupled to: applying processing unit 1110 comprising one
The set of a or multiple shared cache elements 1106 and one or more core 1102A-N;System agent unit 1112;One
A or multiple bus control unit units 1116;One or more integrated memory controller units 1114;Media processor
1120 set or one or more media processor 1120, may include integrated graphics logic 1108, for provide it is static and/
Or the functional image processing apparatus 1124 of video camera, for provide hardware audio acceleration apparatus for processing audio 1126 and
For providing the video process apparatus 1128 of encoding and decoding of video acceleration;Static Random Access Memory (SRAM) unit 1130;
Direct memory access (DMA) (DMA) unit 1132;And the display unit 1140 for being coupled to one or more external displays.
The realization for being provided isolation in virtualization system using inter-trust domain can be realized in SoC 1100.
Figure 12 is turned next to, the realization of the SoC design of the realization according to the disclosure is depicted.As illustrated examples,
SoC 1200 is included in user equipment (UE).In one implementation, UE refer to be used by end subscriber it is any with what is communicated
Device, for example, hand-held phone, smart phone, tablet computer, ultra-thin notebook, the notebook with broadband adapter or it is any its
Its similar communication device.UE may be coupled to base station or node, and base station or node substantially can correspond in GSM network
Movement station (MS).The realization for being provided isolation in virtualization system using inter-trust domain can be realized in SoC 1200.
Here, SoC 1220 includes 2 cores -1206 and 1207.Similarly as described above, core 1206 and 1207 can accord with
Close instruction set architecture, such as the processing unit with Intel framework Core, Advanced Micro Devices, Inc.
(AMD) processing unit, processing unit based on MIPS, the design of the processing unit based on ARM or its client and they permitted
It can people or adopter.Core 1206 and 1207 is coupled to cache control 1208, cache control 1208 and bus interface list
1209 and L2 of member cache 1210 is associated with to communicate with the other parts of system 1200.Interconnection 1211 includes that on piece interconnects, example
Such as the other interconnection of IOSF, AMBA or discussed above, described disclosed one or more aspects may be implemented.
Interconnection 1211 to other components provide communication channel, such as subscriber identity module (SIM) 1230 with SIM card pair
It connects, guides ROM 1235 and be used to initialize and guide SoC 1200 by the execution of core 1206 and 1207 to keep guidance code,
Sdram controller 1240 with external memory (such as DRAM 1260) to dock, and flash controller 1245 with non-volatile to deposit
Reservoir (such as flash memory 1265) docking, peripheral hardware control 1250(such as Serial Peripheral Interface (SPI)) to be docked with peripheral hardware, coding and decoding video
Device 1220 and video interface 1225 are to show and receive input (for example, touching enabled input), and GPU 1215 is to execute figure phase
Close calculating etc..It can be in conjunction with the aspect of realization described herein in any of these interfaces.
In addition, the system shows the peripheral hardware for communication, such as bluetooth module 1270,3G modem 1275,
GPS 1280 and Wi-Fi 1285.Note that as stated above, UE includes the radio for communication.As a result, may
It does not include all these peripheral communication modules.However, should include the wireless of a certain form for PERCOM peripheral communication in UE
Electricity.
Figure 13 shows the graphical representation of the machine of the exemplary forms using computing system 1300, can in computing system 1300
To execute for making machine execute the instruction set of any one or more methodology discussed in this article.In alternative realizations,
Machine can connect the other machines of (such as networking) into LAN, Intranet, extranet or internet.Machine can be using visitor
The ability of server or client terminal device in family end-server network environment or as equity (or distributed) network environment
In peer machines operate.Machine can be personal computer (PC), tablet PC, set-top box (STB), personal digital assistant
(PDA), cellular phone, web facility, server, network router, interchanger or bridge, or it is able to carry out instruction set (sequence
Or in other ways) machine, described instruction specifies the movement to be taken by the machine.Although in addition, only showing single machine
Device, but term " machine " is also understood to include independent or joint set of instructions (or multiple set) and is begged for herein with executing
Any set of the machine of any one or more of methodology of opinion.It converts page and partial realization can be in computing system 1300
Middle realization.
Computing system 1300 include processing unit 1302, main memory 1304(for example, read-only memory (ROM), flash memory,
Dynamic random access memory (DRAM) (such as synchronous dram (SDRAM) or DRAM(RDRAM) etc.), static memory 1306
(for example, flash memory, Static Random Access Memory (SRAM) etc.) and data storage device 1318(its via bus 1330 each other
Communication).
Processing unit 1302 indicates one or more general processing units, micro treatmenting device, central processing unit etc.
Deng.More specifically, processing unit can be complex instruction set calculation (CISC) micro treatmenting device, Reduced Instruction Set Computer
(RISC) micro treatmenting device, very long instruction word (VLIW) micro treatmenting device or the processing unit for realizing other instruction set, Huo Zheshi
The combined processing unit of existing instruction set.Processing unit 1302, which is also possible to such as specific integrated circuit (ASIC), scene, to be compiled
One or more dedicated processes of journey gate array (FPGA), digital signal processing device (DSP), network processing device etc. fill
It sets.In one implementation, processing unit 1302 may include one or more processing unit cores.Processing unit 1302 is configured to hold
Row processing logic 1326 is for executing the operation being discussed herein.In one implementation, processing unit 1302 can be the meter of Fig. 1
The part of calculation machine system 100.Alternatively, computing system 1300 may include other components as described herein.It should be appreciated that
Core can support multithreading (executing two or more parallel operations or sets of threads), and can adopt in various manners in this way
It does, (wherein single physical core is each line that physical core is simultaneous multi-threading for multithreading, simultaneous multi-threading including time slicing
Journey provide Logic Core), or combinations thereof (for example, the extraction and decoding of time slicing and hereafter while multithreading, such as
In Intel Hyper-Threading).
Computing system 1300 can also include the Network Interface Unit 1308 for being communicatively coupled to network 1320.Calculate system
System 1300 can also include video display unit 1310(for example, liquid crystal display (LCD) or cathode ray tube (CRT)), letter
Digital input unit 1312(such as keyboard), cursor control device 1314(such as mouse), signal generating apparatus 1316(for example raises
Sound device) or other peripheral devices.In addition, computing system 1300 may include graphics processing unit 1322, video processing unit
1328 and audio treatment unit 1332.In a further implementation, computing system 1300 may include chipset (not shown), refer to collection
At the group of circuit or chip (being designed to work together with processing unit 1302) and control processing unit 1302 and outside
Communication between device.For example, chipset can be the chip set on motherboard, processing unit 1302 is linked to ultrahigh speed
Device (such as main memory 1304 and graphics controller), and processing unit 1302 is linked to total compared with the peripheral hardware of low-speed peripheral
Line, such as USB, PCI or isa bus.
Data storage device 1318 may include computer readable storage medium 1324, in the computer-readable storage medium
Storage embodies the software 1326 of any one or more of methodology of functions described herein in matter 1324.It is calculated passing through
During its execution of system 1300, software 1326, which can also completely or at least partially reside in be used as in main memory 1304, to be referred to
It enables 1326 and/or resides in processing unit 1302 as processing logic 1326;Main memory 1304 and processing unit 1302
Constitute computer readable storage medium.
Computer readable storage medium 1324 can be also used for using for example just Fig. 1 describe processing unit 1302 and/or
Comprising calling the software library for the method applied above to carry out store instruction 1326.Although computer readable storage medium 1324 is in example
Be illustrated as being single medium in realization, but term " computer readable storage medium " be to be understood as include storage one or
The single medium of multiple instruction set or multiple media are (for example, centralized or distributed database and/or associated high speed are slow
Deposit and server).Term " computer readable storage medium " is also to be understood as including that can store, encode or carry to be used for
The instruction set executed by machine and any medium for making machine execute any one or more methodology realized.Accordingly
Ground, term " computer readable storage medium " are to be understood as including but not limited to solid-state memory and light and magnetic medium.
Following example is related to further realizing.Example 1 be it is a kind of for using inter-trust domain provided in virtualization system every
From processing unit.With further reference to example 1, processing unit includes: memory ownership table (MOT), and the MOT is directed to software
The accessed control of access;And processing core, with further reference to example 1, the processing core is wanted: being executed inter-trust domain (TD) and is managed
The inter-trust domain resource manager (TDRM) of the TD;Inter-trust domain control structure (TDCS) is maintained to be filled for managing by the processing
Set the global metadata of the TD or one or more of other TD of execution;It is come from being referred to by the TDCS and being directed to
One of the accessed control of the softward interview of at least one of the TDRM, virtual machine manager (VMM) or other TD or
The execution state of the TD is maintained in multiple inter-trust domain thread control structures (TD-TCS);With reference to the MOT to be corresponded to
At least one key identifier (ID) of the encryption key of the TD is assigned to, the key ID allows the processing unit to decrypt
In response to the processing unit executed in the context of the TD and storage page that assign to the TD, assign to described
The storage page of TD passes through the encryption keys;And the TD is assigned to obtain to correspond to reference to the MOT
Host-physical memory page guest physical address, wherein the guest physical address obtained from the MOT with accessed
The matching of guest physical address to allow to execute and refer in the context of the TD in response to the processing unit
It is fitted on the processing unit access of the storage page of the TD.
In example 2, it includes TDRM component via extension that the theme of example 1, which can optionally include the wherein VMM,
Page table (EPT) provides memory management at least one of the following: the TD, other TD or one or more virtual machines
(VM).In example 3, any one theme of example 1-2 can be optionally included described in the wherein TD-TCS reference
TDCS, wherein the TDCS maintains the counting of one or more TD-TCS of the logic processor corresponding to the TD, and its
Described in TD-TCS store the user of the TD and execute state and management program and execute state.In example 4, example 1-3's appoints
What one theme can optionally include the wherein encryption key and be encrypted by the multi-key cipher total memory of the processing unit
(MK-TME) engine generates.
In example 5, any one theme of example 1-4 can optionally include the wherein MK-TME engine and generate
Via multiple encryption keys that the key ID for assigning to the TD accesses, with the memory for encrypting and decrypting the TD
Page, and encryption and decryption correspond to assign to the TD long-time memory storage page, and wherein the MOT via
The multiple key ID is tracked with the associated key ID of each entry in the MOT.In example 6, example 1-5
Any one theme can optionally include the wherein processing core and refer to the master accessed as the part of page traversing operation
The MOT of machine pages of physical memory, to access the guest-physical memory page mapped by the EPT.In example 7, example
It includes the operation system for managing one or more application that any one theme of 1-6, which can optionally include the wherein TD,
Unite (OS) or at least one of the VMM for managing one or more virtual machines (VM), and wherein TD enters operation
The operation context of the processing core from least one of described VMM is transferred to the OS of the TD or from described
TDRM is transferred to the VMM of the TD.
In example 8, any one theme of example 1-7 can optionally include the wherein TDRM and not be included in institute
It states in the trusted computing base (TCB) of TD.In example 9, any one theme of example 1-8 can optionally include wherein institute
Stating TDCS includes signing structure, and the signing structure captures the password measurement of the TD, and the password measurement is filled by the processing
The hardware trusted root signature set, and wherein the signing structure is provided to proof side for verifying the password measurement.
In example 10, any one theme of example 1-9 can optionally include the wherein processing core and also tie up
The measuring state of the TD in the TDCS is held, the TDCS is directed to from including at least the institute executed by the processing unit
State the accessed control of softward interview of the software of TDRM, the other TD of the VMM or described.In example 11, example 1-10's appoints
What one theme can optionally include the wherein TDRM and manage the TD and other TD.Apparatus described above
All optional features can also be realized relative to method described herein and process.
Example 12 is a kind of for providing the method for isolation in virtualization system using inter-trust domain, comprising: passes through execution
Inter-trust domain resource manager (TDRM) identifies TD with the processing unit for managing the inter-trust domain (TD) executed in the processing unit
Exit event;In response to identifying that the TD exits event, first corresponding to the first encryption key for assigning to the TD is utilized
Key identifier (ID) is assigned to so that the user of TD execution state and TD management program execution state to be saved in correspond to
In the inter-trust domain thread control structure (TD-TCS) of the logic processor of the TD, the execution state is encrypted by described first
Key encryption, wherein the TD-TCS is for the TDRM, the virtual machine manager (VMM) for carrying out the freely processing unit execution
Or the accessed control of softward interview of at least one of other TD;By the key ID state of the processing unit from described first
Key ID is modified as corresponding to the second key ID of at least one of the described TDRM or VMM;And load TDRM is executed
Information is exited with state of a control and the TDRM, so that the processing unit operates in the context of the TDRM.
In example 13, the theme of example 12 can be optionally included: execute TD in the context of the TDRM
Entry event;Using corresponding to the second key identifier (ID) for assigning to the second encryption key of the TDRM with from corresponding to
The inter-trust domain resource manager control structure (TD-RCS) for assigning to the logic processor of the TD is loaded by the TDRM
Specified TDRM executes control, and the execution state is by second encryption keys, wherein the TD-RCS is used
The extension page table (EPT) for coming the TD or at least one of other VM that freely the processing unit executes carrys out access control;
The key ID state of the processing unit is modified as to correspond to the first key ID of the TD from second key ID;And
The user is loaded from the TD-TCS and executes state and management program execution state, so that the processing unit is described
It is operated in the context of TD.In example 14, any one theme of example 12-13 can optionally include wherein described
TDCS and TD-TCS via the memory ownership table (MOT) of the processing unit by Confidentiality protection and access control, it is described
MOT includes the first entry for the TDCS, and the first key ID is associated with the TD, wherein the MOT is utilized
The first key ID come enforce correspond to the TD storage page memory access memory confidentiality.
In example 15, any one theme of example 12-14 can optionally include wherein the MOT via range
The accessed control of register.In example 16, any one theme of example 12-15 can optionally include wherein from via
The TD-RCS structure of the accessed control of the EPT and MOT loads the TDRM execution and state of a control, wherein described
MOT includes the second entry for the TD-RCS structure, by second key ID and the physics comprising the TD-RCS
Storage page association, and wherein the MOT enforces depositing corresponding to the TDRM using second key ID
The memory confidentiality of the memory access of reservoir page.In example 17, any one theme of example 12-16 can be optional
Ground is root VMM including the wherein VMM comprising the TDRM is to manage one or more TD, wherein the TD includes non-root
VMM is to manage one or more virtual machines (VM), and wherein the TD exits the operation context by the processing core from institute
The one or more of VM for stating the non-root VMM or TD are transferred to described VMM and TDRM.
In example 18, any one theme of example 12-17 can optionally include wherein the encryption key by
Multi-key cipher total memory encryption (MK-TME) engine of the processing unit generates, and wherein the MK-TME engine generates warp
Multiple encryption keys of the TD are assigned to the of short duration storage page or long-time memory for encrypting the TD by key ID
Page, and wherein the MOT tracks the multiple encryption key ID, wherein the host-physical page one often referred in the MOT
A key id.
Example 19 is a kind of for providing the system of isolation in virtualization system using inter-trust domain.In example 19, institute
The system of stating includes: memory device with store instruction;And processing unit, it is operatively coupled to the memory device.Into
One step reference example 19, the processing unit execute described instruction with: execute inter-trust domain resource manager (TDRM) so that manage can
Believe domain (TD), wherein the TDRM does not include in the trusted computing base (TCB) of the TD;In inter-trust domain thread control structure
(TD-TCS) management program of the TD is maintained to execute state and user's execution state in, the TD-TCS, which is directed to, to be come described in freedom
The softward interview of at least one of the TDRM, virtual machine manager (VMM) or the other TD that processing unit executes is accessed
Control;And with reference to the MOT to obtain at least one encryption key mark for corresponding to the encryption key for assigning to the TD
It accords with (ID), the key ID allows the processing unit decryption in response to the processing unit in the context of the TD
The storage page of the TD is executed and assigns to, the storage page for assigning to the TD passes through via the encryption key ID
The encryption keys of identification;And correspond to the host-physical storage for assigning to the TD with reference to the MOT to obtain
The guest physical address of device page, wherein the matching of the guest physical address and the guest physical address accessed will allow sound
Processing unit described in Ying Yu executes in the context of the TD and the processing of the storage page that assigns to the TD
Device access.
In example 20, it includes TDRM component via expansion that the theme of example 19, which can optionally include the wherein VMM,
Exhibition page table (EPT) is one of the following or multiple provides memory management: the TD, other TD or one or more are empty
Quasi- machine (VM).
In example 21, it is corresponding that any one theme of example 19-20 can optionally include the wherein TD-TCS
In the logic processor of the TD, the TD-TCS exits in operation the management program execution state for storing the TD in TD
State is executed with the user and loads user and the management program execution state of the TD on TD enters and operates, wherein institute
TD-TCS is stated at least one of the TDRM, the other TD of the VMM or described for carrying out the freely processing unit execution
The accessed control of softward interview.In example 22, any one theme of example 19-21 can optionally include wherein institute
It states encryption key to be generated by multi-key cipher total memory encryption (MK-TME) engine of the processing unit, and the wherein MK-
TME engine, which is generated, assigns to multiple encryption keys of the TD via key ID with the of short duration storage page for encrypting the TD
Or long-time memory page, and wherein the MOT is tracked via with the associated key ID of each entry in the MOT
The multiple encryption key ID.
In example 23, it includes described that any one theme of example 19-22, which can optionally include the wherein VMM,
TDRM is to manage the TD, wherein the TD includes operating system (OS) or non-root VMM to manage one or more virtual machines
(VM), and wherein TD enters operation the operation context of the processing core is transferred to the described non-of the TD from the TDRM
Root VMM.All optional features of system described above can also be realized relative to method described herein and process.
Example 24 is a kind of non-transitory machine readable storage Jie for providing isolation in virtualization system using inter-trust domain
Matter.In example 24, the non-transitory machinable medium includes data, and the data by processing unit when being accessed
Executing the processing unit includes the operation of following operation: being executed when in the processing unit context of the TDRM
When, TD entry event is identified with the processing unit for managing inter-trust domain (TD) by execution inter-trust domain resource manager (TDRM);Response
In identifying the TD entry event, the first key identifier corresponding to the first encryption key for assigning to the TDRM is utilized
(ID) it is controlled with the TDRM for loading the TDRM from the inter-trust domain resource manager control structure (TDRCS) corresponding to the TDRM
State, the TDRM state of a control is by first encryption keys, wherein the TDRCS is for the next freely described processing
The accessed control of the softward interview of at least one of the other TD of the TD or described that device executes;By the processing unit
Key ID state is modified as corresponding to the second key ID of the second encryption key for assigning to the TD from the first key ID;
And state and TD user's execution state are executed from the management program that inter-trust domain thread control structure (TD-TCS) loads the TD,
So that the processing unit operates in the context of the TD, wherein the TD-TCS is held for the freely processing unit is carried out
The accessed control of the softward interview of at least one of the capable other TD of the TDRM or described.
In example 25, the theme of example 24 can be optionally included in the context of the TDRM execute TD into
Incoming event;Using the second key identifier (ID) corresponding to the second encryption key for assigning to the TDRM from corresponding to finger
Inter-trust domain resource manager control structure (TD-RCS) load for being fitted on the logic processor of the TD is referred to by the TDRM
Fixed TDRM executes control, and the execution state is by second encryption keys, wherein the TD-RCS is used to
The extension page table (EPT) of the TD or at least one of other VM that freely the processing unit executes carry out access control;It will
The key ID state of the processing unit is modified as the first key ID corresponding to the TD from second key ID;And from
The TD-TCS loads the user and executes state and management program execution state, so that the processing unit is in the TD
Context in operate.
In example 26, the theme of example 30-31 can be optionally included wherein, and the TDCS and TD-TCS are via described
For the memory ownership table (MOT) of processing unit by Confidentiality protection and access control, the MOT includes for the TDCS
The first key ID is associated with by first entry with the TD, wherein the MOT forces reality using the first key ID
It is applied to the memory confidentiality of the memory access of the storage page corresponding to the TD.In example 27, the master of example 30-32
Topic can optionally include the wherein MOT and control via range registers are accessed.
In example 28, the theme of example 30-33 can be optionally included wherein from via the EPT and the MOT quilt
The TD-RCS structure of access control loads the TDRM execution and state of a control, wherein the MOT includes being used for the TD-
Second key ID is associated with by the second entry of RCS structure with the pages of physical memory comprising the TD-RCS, and its
Described in MOT enforce using second key ID memory access of the storage page corresponding to the TDRM
Memory confidentiality.
In example 29, it is root VMM that the theme of example 30-34, which can optionally include the wherein VMM, comprising described
TDRM is to manage one or more TD, wherein the TD includes non-root VMM to manage one or more virtual machines (VM), and its
Described in TD exit the operation context of the processing core from one or more of VM of the non-root VMM or TD turn
Move on to described VMM and TDRM.In example 30, the theme of example 30-35 can optionally include the wherein encryption key
It is generated by multi-key cipher total memory encryption (MK-TME) engine of the processing unit, and wherein the MK-TME engine generates
Multiple encryption keys of the TD are assigned to via key ID with the of short duration storage page or persistent storage for encrypting the TD
Device page, and wherein the MOT tracks the multiple encryption key ID, wherein the host-physical page often referred in the MOT
One key id.
Example 31 is to provide the equipment of isolation in virtualization system using inter-trust domain, comprising: for being held by processing unit
To manage the component of inter-trust domain (TD), the TD is executed row inter-trust domain resource manager (TDRM) by the processing unit;For
Maintain inter-trust domain control structure (TDCS) for managing one in the TD or other TD that are executed by the processing unit
Or the component of multiple global metadatas;For for from the TDRM, virtual machine manager (VMM) or described other
Dimension in one or more inter-trust domain thread control structures (TD-TCS) of the accessed control of the softward interview of at least one of TD
Hold the component of the execution state of the TD;Correspond to the encryption key for assigning to the TD for obtaining with reference to the MOT
The component of at least one key identifier (ID), the key ID allow the processing unit to exist in response to the processing unit
The secret of storage page for executing in the context of the TD and assigning to the TD accesses, and assigns to the described of the TD
Storage page passes through the encryption keys;And correspond to the master for assigning to the TD for obtaining with reference to the MOT
The component of the guest physical address of machine pages of physical memory, wherein the guest physical address obtained from the MOT with visited
The matching for the guest physical address asked to allow to execute in the context of the TD in response to the processing unit and
Assign to the processing unit access of the storage page of the TD.In example 32, the theme of example 31 can be optional
Ground include be further configured to include any one theme of example 2 to 11 equipment.
Example 33 be for using inter-trust domain to provide the system of isolation in virtualization system, including, the system comprises
The memory device of store instruction and the processing core for being operatively coupled to the memory device.With further reference to example
33, the processing core is wanted: executing inter-trust domain resource manager (TDRM) to manage the inter-trust domain executed in the processing unit
(TD);Identification TD exits event;In response to identifying that the TD exits event, using corresponding to the first encryption for assigning to the TD
The first key identifier (ID) of key executes state so that the user of the TD is executed state and TD management program and is saved in pair
Ying Yu is assigned in the inter-trust domain thread control structure (TD-TCS) of the logic processor of the TD, and the execution state passes through institute
The first encryption keys are stated, wherein the TD-TCS is for the TDRM, the virtual machine for carrying out the freely processing unit execution
The accessed control of the softward interview of at least one of manager (VMM) or other TD;By the key ID shape of the processing unit
State is modified as corresponding to the second key ID of at least one of the described TDRM or VMM from the first key ID;And
Load TDRM is executed and state of a control and the TDRM exit information so that the processing unit the TDRM up and down
It is operated in text.In example 34, the theme of example 33 can optionally include any one theme of example 13 to 18.
Example 35 is for realizing using inter-trust domain to provide the equipment of isolation in virtualization system comprising memory and
It is coupled to the processing unit of the memory, wherein the processing unit will execute any one method of example 12-18.Show
Example 36 is for realizing using inter-trust domain to provide the equipment of isolation in virtualization system, including for executing example 12 to 18
The component of any one method.Example 37 is at least one machine readable media comprising in response on the computing device by
Execute the multiple instruction for making computing device execute any one method according to example 12-18.Details in example can be
It is used from anywhere in one or more embodiments.
Although describing the disclosure relative to the realization of limited quantity, those skilled in the art will be from favorite
Know many modifications and variations.Be intended that appended claims covering fall into the true spirit and range of the disclosure it is all this
Class modifications and variations.
In description herein, many specific details, such as certain types of processing unit and system configuration, spy are elaborated
Determine hardware configuration, certain architectures and micro-architecture details, particular register configuration, specific instruction type, particular system components, specific
The example of measurement/height, particular procedure device flow line stage and operation etc., in order to provide the thorough understanding to the disclosure.So
And it will be apparent to those skilled in the art that, it does not need to implement the disclosure using these specific details.Other
In example, well-known component or method, such as specific and alternative processing unit framework, patrol for the specific of algorithm of description
Collect circuit/code, certain firmware code, specific interconnected operation, particular logic configuration, certain fabrication techniques and material, specific volume
Translate device realize, the particular expression of algorithm in code, specific power-off and gating technology/logic and computer system it is other
Specific operation details is not described in detail to avoid unnecessarily obscuring the disclosure.
Inter-trust domain is used to virtualize with reference in specific integrated circuit (such as in computing platform or micro treatmenting device)
Isolation is provided in system to describe to realize.The realization can also be applicable to other types of integrated circuit and programmable logic
Device.For example, disclosed is practiced without limitation to desktop computer systems or portable computer, such as Intel
Ultrabooks computer.And it may be also used in other devices, such as hand-held device, tablet computer, other slim pens
Remember this computer, system on chip (SoC) device and Embedded Application.Some examples of hand-held device include cellular phone, internet
Protocol apparatus, digital camera, PDA(Personal Digital Assistant) and Hand held PC.Embedded Application typically comprises microcontroller, number
Signal processing apparatus (DSP), system on chip, network computer (NetPC), set-top box, network backbone, wide area network (WAN) exchange
Machine or any other system that the function and operation instructed below can be executed.Describe the system can be it is any kind of
Computer or embedded system.Disclosed realization can be particularly used for low-end devices, as wearable device is (for example, hand
Table), electronics implantation material, sensing and control infrastructure equipment, controller, Supervised Control and data acquisition (SCADA) system etc.
Deng.In addition, equipment described herein, method and system are not limited to physical computing device, it is also possible to being related to for energy conservation and
The software optimization of efficiency.It becomes easy in as will be described in the following it will be apparent that method described herein, equipment and system
Realizing and (either referring to hardware, firmware, software or a combination thereof) is for following " green technology " with performance considerations balance
It is vital.
Although reference process device describes the realization of this paper, other realizations are applicable to other types of integrated electricity
Road and logic device.The similar techniques of the realization of the disclosure and introduction can be applied to can from higher assembly line handling capacity and
The other types of circuit or semiconductor device of improved gain in performance.The introduction of the realization of the disclosure is applicable to execute data
Any processing unit or machine of manipulation.However, the present disclosure is not limited to execute 512,256,128,64,32 or 16
The processing unit or machine of position data manipulation, and can be applied to any processing dress of the manipulation for wherein executing data or management
It sets and machine.In addition, description herein provides example, and attached drawing shows various examples for purpose of explanation.However, this
A little examples should not be explained with restrictive sense, because they are intended merely to provide the example of the realization of the disclosure, without being to provide this
All full lists in the cards of disclosed realization.
Although following example describes instruction disposition and distribution in the context of execution unit and logic circuit,
Other realizations of the disclosure can be realized by the data that are stored on machine readable tangible medium or instruction, by machine
Device makes machine execute at least one realization consistent function with the disclosure when executing.In one implementation, with the reality of the disclosure
Existing associated function embodiment is in machine-executable instruction.Described instruction can be used for making the general or specialized place by instruction programming
Manage the step of device executes the disclosure.The realization of the disclosure may be provided as computer program product or software, can wrap
It includes with the instruction machine or computer-readable medium that are stored thereon, described instruction can be used for computer (or other electricity
Sub-device) it is programmed to execute one or more operations of the realization according to the disclosure.Alternatively, the behaviour of the realization of the disclosure
Make to be executed by the specific hardware components comprising the fixed function logic for executing operation, or the computer by programming
Any combination of component and fixed function hardware component executes.
For being programmed to logic to execute in the memory that the instruction of the realization of the disclosure can store in systems,
Such as DRAM, cache, flash memory or other storage devices.In addition, instruction can via network or by other computers can
Medium is read to distribute.Therefore, machine readable media may include for be stored by the readable form of machine (for example, computer)
Or transmission information any mechanism, but be not limited to floppy disk, CD, compact disc read-only memory (CD-ROM) and magneto-optic disk, only
Reading memory (ROM), random-access memory (ram), erasable programmable read only memory (EPROM), electric erasable can be compiled
Journey read-only memory (EEPROM), magnetic or optical card, flash memory or tangible machine-readable storage device are (via electricity, light, sound
Or the transmitting signal (for example, carrier wave, infrared signal, digital signal etc.) of other forms in internet transmissions information by using
).Correspondingly, computer-readable medium includes suitable for be stored or be passed by the readable form of machine (for example, computer)
Any kind of tangible machine-readable medium of power transmission sub-instructions or information.
Design can be passed through from the various stages for being created to simulation to manufacture.Indicate that the data of design can be indicated with many modes
The design.Firstly, hardware description language or another functional description language can be used to indicate for hardware as useful in simulations.
In addition, can produce the circuit level model with logic and/or transistor gate in certain stages of design process.In addition, most of
It designs and reaches the data level of the physical placement of the various devices in expression hardware model in a certain stage.Wherein using conventional half
In the case where conductor manufacturing technology, indicate the data of hardware model can be specify the mask for generating integrated circuit not
With the data that there are or lack various features on mask layer.In any expression of design, data are storable in any type of
In machine readable media.Memory or magnetically or optically storage device (such as disk) can be machine readable media, with storage via
Modulation is generated in other ways to transmit this type of information of the light wave of information or electric wave transmission.In transmission instruction or carry code
Or design electric carrier wave when, for being carried out the duplication of electric signal, buffering or retransfer, carry out new duplication.To communication
Provider or network provider at least can temporarily store the object for embodying the technology that the disclosure is realized in tangible machine-readable medium
Product, the information being such as encoded in carrier wave.
Module as used herein refers to any combination of hardware, software and/or firmware.As an example, module include with it is non-
The associated hardware of fugitive medium (such as microcontroller), to store the code for being suitable for being executed by microcontroller.Therefore, at one
In realization, hardware is referred to the reference of module, is specifically configured to distinguish and/or execute and to be maintained in non-transitory medium
Code.In addition, in a further implementation, the use of module refers to the non-transitory medium including code, the code is specifically fitted
It executes in by microcontroller to execute predetermined operation.And as may infer that, in another realization, term module (is shown herein
In example) it can refer to the combination of microcontroller and non-transitory medium.Frequently, individual module alignment is shown as usually to change simultaneously
Potentially it is overlapped.For example, the first and second modules can share hardware, software, firmware or combinations thereof, while potentially retaining certain
One independent hardware, software or firmware.In one implementation, the use of terminological logic include such as transistor, register or its
The hardware of its hardware (such as programmable logic device).
In one implementation, the use of phrase " being configured to " refer to arrangement, put together, manufacture, offering for sale, importing and/
Or design equipment, hardware, logic or element are to execute task that is specified or determining.In this example, the equipment not operated or its
Element still " being configured to " executes specified task (if it is designed, couples and/or interconnects to execute described specified appoint
Business).As pure illustrated examples, logic gate can provide 0 or 1 during operation.But " being configured to " provides to clock
The logic gate of enable signal does not include each the potential logic gate that may provide 1 or 0.On the contrary, logic gate is with one party
The logic gate of formula coupling (1 or 0 output will enable clock during operation).Again, it is to be noted that not required using term " being configured to "
Operation, but opposite focus is in the sneak condition of equipment, hardware and/or element, wherein in sneak condition, when equipment, hardware
And/or element is in operation, equipment, hardware and/or element are designed to execute specific tasks.
In addition, in one implementation, referred to using phrase " to ", " can/can with " and/or " can operate with " with such
Mode designs to use equipment, logic, hardware and/or a certain equipment of element, logic, hardware by the way of specified
And/or element.As noted above, in one implementation, to, can with or can operate with use refer to equipment, logic, hard
The sneak condition of part and/or element, wherein equipment, logic, hardware and/or element are designed not in operation but using such mode
To enable using equipment by the way of specified.
As it is used herein, value includes any known table of number, state, logic state or binary logic state
Show.In general, the use of logic level, one or more logical values is also referred to as 1 and 0, it is merely representative of binary logic state.
For example, 1 refers to high logic level and 0 finger low logic level.In one implementation, the storage of such as transistor or flash cell
Unit can be able to maintain single logical value or multiple logical values.However, other expressions of the value in computer system have used.
For example, decimal number 10 can also be expressed as binary value 1010 and hexadecimal letter A.Therefore, value includes being able to maintain
Any expression of information in computer system.
In addition, state can be indicated by the part for being worth or being worth.As an example, the first value of such as logic 1 can be with table
Show default or original state, and the second value of such as logical zero can indicate non-default state.In addition, in one implementation, term
Resetting and setting respectively refer to default and updated value or state.For example, default value potentially includes high logic value, that is, reset, and more
New value includes potentially low logic value, that is, is arranged.Note that can use any combination of value to indicate any amount of state.
The realization of the method, hardware, software, firmware or the code that are set forth above can be via being stored in machine-accessible, machine
Device is readable, computer is addressable or the code that can be performed by processing element on computer-readable medium or instruction are realized.It is non-
Temporary machine-accessible/readable medium includes providing (that is, storage and/or transmission) using by machine (such as computer or electricity
Subsystem) readable form information any mechanism.For example, non-transitory machine accessible medium includes such as static state RAM
(SRAM) or the random-access memory (ram) of dynamic ram (DRAM);ROM;Magnetically or optically storage medium;Flash memory device;Electricity storage
Device;Light storage device;Sound storage device;For keeping from temporary (propagation) signal (for example, carrier wave, infrared signal, number
Signal) received information other forms storage device;Deng will be with the non-transitory medium area that can therefrom receive information
Point.In the memory that instruction for executing the realization of the disclosure to programming in logic is storable in system, such as DRAM, height
In speed caching, flash memory or other storage devices.In addition, instruction can distribute via network or by other computer-readable mediums.
To which machine readable media may include for storing or transmitting appointing using the information by machine (such as computer) readable form
What mechanism, but be not limited to floppy disk, CD, compact disc read-only memory (CD-ROM) and magneto-optic disk, read-only memory (ROM), with
Machine accesses memory (RAM), erasable programmable read only memory (EPROM), electrically erasable programmable read-only memory
(EEPROM), magnetic or optical card, flash memory or on the internet via electricity, light, sound or other forms transmitting signal (such as carrier wave,
Infrared signal, digital signal etc.) transmit tangible machine readable storage devices used in information.Correspondingly, computer-readable Jie
Matter include suitable for storage or transmission using by machine (such as computer) readable form e-command or information it is any
Type tangible machine-readable medium.
Entire this specification means to contact the specific spy for realizing description to the reference of " realization " or " realization "
Sign, structure or characteristic are included at least one realization of the disclosure.Therefore, entire this specification occurs in various positions
Phrase " in one implementation " is not necessarily all referring to identical realization " in the implementation ".In addition, specific features, structure or characteristic
It can combine in any suitable manner in one or more implementations.
In the foregoing specification, it is realized by reference to specific demonstration and gives detailed description.However, it will be evident that
, it can be carry out various modifications and be changed without departing from the wider of the disclosure illustrated in such as the appended claims
General spirit and scope.Correspondingly, the description and the appended drawings are considered using descriptive sense rather than limited meaning.This
Outside, the aforementioned use of realization, embodiment and/or other exemplary languages not necessarily refers to identical realization or identical example, still
It can refer to different and different realization and potentially identical realization.
Detailed description is presented in terms of the algorithm of the operation to data bit in computer storage and symbol expression
Some parts.These algorithm descriptions and expression are by the technical staff of data processing field to be used to that most effectively they work
Essence is communicated to the means of others skilled in the art.Algorithm herein and be generally considered to be cause expected result from
The consistent sequence of operation.Operation is that those of physical manipulation physical quantity is required to operate.In general, although not necessarily, this tittle
Taking can be by storage, the form of the electric signal or magnetic signal that transmission, combine, compare and manipulate in other ways.Sometimes, mainly
For usually used reason, it has proved that these signals are known as positions, value, element, symbol, character, term, number etc. to be
Easily.Described herein piece can be hardware, software, firmware or combinations thereof.
However, it should be remembered that all these and similar terms and will be only to be applied to register appropriate
The facilitate label of this tittle.Unless be expressly recited with other way as apparent from the above discussion, otherwise, it is realized that
In entire description, using such as " definition ", " reception ", " determination ", " publication ", " link ", " association ", " acquisition ", " certification ",
The discussion of the term of " forbidding ", " execution ", " request ", " communication " etc. refers to the movement of computing system or similar computing electronics
And process, manipulate and will be indicated as the data of the amount of the physics (for example, electronics) in the register and memory of computing system
It is transformed into similar be expressed as in computing system memory or register or other this type of information storage devices, transmission or display device
Physical quantity other data.
Word " example " or " demonstration " are herein for meaning to be used as an example, instance, or description.Here depicted as " showing
Any aspect or design of example " or " demonstration " are not necessarily to be construed as or tool advantage more preferred than other aspects or design.On the contrary, using
Concept is presented in word " example " or " demonstration " intention in specific ways.As used in this specification, term "or" is intended to meaning
The "or" of inclusive rather than exclusive "or".That is, being clearly " X unless otherwise specified or from the context
Including A or B " it is intended to mean that any natural inclusive arrangement.That is, if X includes A;X includes B;Or X includes A and B two
Then person meets " X includes A or B " under any previous examples.In addition, being preced with as used in the application and appended claims
Word " one (a and an) ", which is generally understood that, means " one or more ", understands unless otherwise specified or from context
Ground is directed to singular.In addition, using term " embodiment " or " one embodiment " or " realization " in the whole text except description of being far from it
Or " realization " is not intended to mean identical embodiment or realization.In addition, term " first " as used herein, " the
Two ", " third ", " the 4th " etc. are intended as the label for distinguishing between different elements, and according to their number
It is specified to not necessarily have sequence meaning.
The disclosure also discloses one group of technical solution, as follows:
A kind of processing unit of technical solution 1., the processing unit include:
Memory ownership table (MOT), the MOT is for the accessed control of softward interview;And
Core is handled, the processing core is wanted:
Execute the inter-trust domain resource manager (TDRM) of inter-trust domain (TD) and the management TD;
Maintain inter-trust domain control structure (TDCS) for managing in the TD or other TD that are executed by the processing unit
One or more global metadatas;
It is being referred to by the TDCS and is being directed in the TDRM, virtual machine manager (VMM) or other TD extremely
The TD is maintained in one or more inter-trust domain thread control structures (TD-TCS) of few accessed control of one softward interview
Execution state;
With reference to the MOT to obtain at least one key identifier (ID) for corresponding to the encryption key for assigning to the TD, institute
Stating key ID allows the processing unit decryption to execute and assign in the context of the TD in response to the processing unit
The storage page of the TD, the storage page for assigning to the TD pass through the encryption keys;And
With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein
The matching of the guest physical address obtained from the MOT and the guest physical address accessed will allow in response to described
Processing unit executes in the context of the TD and the access of the processing unit of the storage page that assigns to the TD.
The processing unit as described in technical solution 1 of technical solution 2., wherein the VMM includes TDRM component via expansion
Open up page table (EPT) and provide memory management at least one of the following: the TD, other TD or one or more are virtual
Machine (VM).
The processing unit as described in technical solution 1 of technical solution 3., wherein the TD-TCS refers to the TDCS, wherein
The TDCS maintains the counting of one or more TD-TCS of the logic processor corresponding to the TD, and the wherein TD-
The user that TCS stores the TD executes state and management program executes state.
The processing unit as described in technical solution 1 of technical solution 4., wherein the encryption key is by the processing unit
Multi-key cipher total memory encrypts (MK-TME) engine and generates.
The processing unit as described in technical solution 4 of technical solution 5., wherein the MK-TME engine is generated via assigning to
Multiple encryption keys of the key ID access of the TD, with the storage page for encrypting and decrypting the TD, Yi Jijia
It is close and decryption correspond to assign to the TD long-time memory storage page, and wherein the MOT via with the MOT
In each entry associated key ID track the multiple key ID.
The processing unit as described in technical solution 2 of technical solution 6., wherein the processing core, which refers to, is used as page traversing operation
The accessed host-physical memory page in part the MOT, to access the guest-physical memory mapped by the EPT
Page.
The processing unit as described in technical solution 1 of technical solution 7., wherein the TD includes at least one of the following:
The VMM for managing the operating system (OS) of one or more application or for managing one or more virtual machines (VM),
And wherein TD enters operation so that the operation context of the processing core is transferred to the TD from least one of described VMM
The OS or the VMM of the TD is transferred to from the TDRM.
The processing unit as described in technical solution 1 of technical solution 8., wherein the TDRM does not include in the credible of the TD
It calculates in base (TCB).
The processing unit as described in technical solution 1 of technical solution 9., wherein the TDCS includes signing structure, the label
The password measurement of TD described in name structures capture, the password measurement are signed by the hardware trusted root of the processing unit, and its
Described in signing structure be provided to proof side for verifying password measurement.
The processing unit as described in technical solution 1 of technical solution 10., wherein the processing core will also maintain the TDCS
In the TD measuring state, the TDCS is directed to from including at least the TDRM executed by the processing unit, institute
State the accessed control of softward interview of the software of the other TD of VMM or described.
The processing unit as described in technical solution 1 of technical solution 11., wherein the TDRM manage the TD and it is described its
Its TD.
A kind of method of technical solution 12., which comprises
By executing inter-trust domain resource manager (TDRM) to manage the place of the inter-trust domain executed in processing unit (TD)
Reason device identification TD exits event;
In response to identifying that the TD exits event, the first key mark corresponding to the first encryption key for assigning to the TD is utilized
Know symbol (ID) and assigns to the TD so that the user of TD execution state and TD management program execution state to be saved in correspond to
Logic processor inter-trust domain thread control structure (TD-TCS) in, the execution state is added by first encryption key
It is close, wherein the TD-TCS is for the TDRM, the virtual machine manager (VMM) or other for carrying out the freely processing unit execution
The accessed control of the softward interview of at least one of TD;
The key ID state of the processing unit is modified as corresponding in the TDRM or VMM from the first key ID
The second key ID of at least one;And
Load TDRM is executed and state of a control and the TDRM exit information, so that the processing unit is the TDRM's
It is operated in context.
Method of the technical solution 13. as described in technical solution 12, further includes:
TD entry event is executed in the context of the TDRM;
Using the second key identifier (ID) corresponding to the second encryption key for assigning to the TDRM from corresponding to assignment
Inter-trust domain resource manager control structure (TD-RCS) load to the logic processor of the TD is specified by the TDRM
TDRM execute control, the execution state by second encryption keys, wherein the TD-RCS be used to from
The extension page table (EPT) of the TD or at least one of other VM that are executed by the processing unit are come access control;
The key ID state of the processing unit is modified as to correspond to the first key ID of the TD from second key ID;
And
The user is loaded from the TD-TCS and executes state and management program execution state, so that the processing unit exists
It is operated in the context of the TD.
Method of the technical solution 14. as described in technical solution 13, wherein the TDCS and TD-TCS is via the processing
For the memory ownership table (MOT) of device by Confidentiality protection and access control, the MOT includes first for the TDCS
The first key ID is associated with by entry, the first entry with the TD, wherein the MOT using the first key ID come
Enforce the memory confidentiality of the memory access of the storage page corresponding to the TD.
Method of the technical solution 15. as described in technical solution 12, wherein the MOT is via the accessed control of range registers
System.
Method of the technical solution 16. as described in technical solution 14, wherein from via the accessed control of the EPT and MOT
The TD-RCS structure of system loads the TDRM execution and state of a control, wherein the MOT includes tying for the TD-RCS
Second key ID is associated with by the second entry of structure, the second entry with the pages of physical memory comprising the TD-RCS,
And wherein the MOT enforces the memory of the storage page corresponding to the TDRM using second key ID
The memory confidentiality of access.
Method of the technical solution 17. as described in technical solution 12, wherein the VMM is root VMM comprising the TDRM
To manage one or more TD, wherein the TD includes non-root VMM to manage one or more virtual machines (VM), and wherein institute
State TD exit by it is described processing core operation context be transferred to from one or more of VM of the non-root VMM or TD
Described VMM and TDRM.
Method of the technical solution 18. as described in technical solution 12, wherein the encryption key is by the more of the processing unit
Key total memory encrypts (MK-TME) engine and generates, and wherein the MK-TME engine generates and assigns to institute via key ID
Multiple encryption keys of TD are stated with the of short duration storage page or long-time memory page for encrypting the TD, and wherein described
MOT tracks the multiple encryption key ID, wherein one key id of the host-physical page often referred in the MOT.
A kind of system of technical solution 19., the system comprises:
Memory device is with store instruction;And
Processing unit, the processing unit are operatively coupled to the memory device, and the processing unit executes the finger
Enable with:
Execute inter-trust domain resource manager (TDRM) to manage inter-trust domain (TD), wherein the TDRM do not include in the TD can
Letter calculates in base (TCB);
The management program of the TD is maintained to execute state and user's execution state in inter-trust domain thread control structure (TD-TCS),
The TD-TCS is in the TDRM, virtual machine manager (VMM) or other TD that carry out the freely processing unit execution
The accessed control of the softward interview of at least one;
With reference to the MOT to obtain at least one encryption key identifier for corresponding to the encryption key for assigning to the TD
(ID), the key ID allow processing unit decryption executed in the context of the TD in response to the processing unit and
The storage page for assigning to the TD assigns to the storage page of the TD by identifying via the encryption key ID
The encryption keys;And
With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein
The matching of the guest physical address and the guest physical address accessed will allow in response to the processing unit described
Executed in the context of TD and the access of the processing unit of the storage page that assigns to the TD.
System of the technical solution 20. as described in technical solution 19, wherein the VMM includes TDRM component via extension
Page table (EPT) is one of the following or multiple provides memory management: the TD, other TD or one or more are virtual
Machine (VM).
System of the technical solution 21. as described in technical solution 19, wherein the TD-TCS corresponds at the logic of the TD
Device is managed, and the management program execution state for storing the TD is exited in operation in TD by the TD-TCS and the user executes shape
State and user and the management program execution state that the TD is loaded on TD enters and operates, come from wherein the TD-TCS is directed to
The softward interview of at least one of the TDRM, the other TD of the VMM or described that are executed by the processing unit are accessed
Control.
System of the technical solution 22. as described in technical solution 19, wherein the encryption key is by the more of the processing unit
Key total memory encrypts (MK-TME) engine and generates, and wherein the MK-TME engine generates and assigns to institute via key ID
Multiple encryption keys of TD are stated with the of short duration storage page or long-time memory page for encrypting the TD, and wherein described
MOT tracks the multiple encryption key ID via with the associated key ID of each entry in the MOT.
System of the technical solution 23. as described in technical solution 19, wherein the VMM includes the TDRM described to manage
TD, wherein the TD includes operating system (OS) or non-root VMM to manage one or more virtual machines (VM), and wherein TD into
Enter the non-root VMM that the operation context of the processing core is transferred to the TD by operation from the TDRM.
A kind of non-transitory machinable medium of technical solution 24., including data, the data are filled when by processing
Setting executes the processing unit when access include the operation of following operation:
When being executed in the processing unit context of the TDRM, by execution inter-trust domain resource manager (TDRM) with
The processing unit for managing inter-trust domain (TD) identifies TD entry event;
In response to identifying the TD entry event, the first key corresponding to the first encryption key for assigning to the TDRM is utilized
Identifier (ID) is to load the TDRM's from the inter-trust domain resource manager control structure (TDRCS) corresponding to the TDRM
TDRM state of a control, the TDRM state of a control is by first encryption keys, wherein the TDRCS is free for coming
The accessed control of the softward interview of at least one of the other TD of the TD or described that the processing unit executes;
The key ID state of the processing unit is modified as corresponding to from the first key ID and assigns to the second of the TD
Second key ID of encryption key;And
The management program for loading the TD from inter-trust domain thread control structure (TD-TCS) executes state and TD user executes state,
So that the processing unit operates in the context of the TD, wherein the TD-TCS is held for the freely processing unit is carried out
The accessed control of the softward interview of at least one of the capable other TD of the TDRM or described.
Non-transitory machinable medium of the technical solution 25. as described in technical solution 24, wherein the TDCS and
TD-TCS is accessed control via the memory ownership table (MOT) of the processing unit, and the MOT includes being used for the TD-
The first key ID is associated with by the first entry of TCS, the first entry with the TD, wherein the MOT utilizes described the
One key ID is to enforce the control of the memory access to the memory access to the storage page corresponding to the TD.
Claims (25)
1. a kind of processing unit, the processing unit include:
Memory ownership table (MOT), the MOT is for the accessed control of softward interview;And
Core is handled, the processing core is wanted:
Execute the inter-trust domain resource manager (TDRM) of inter-trust domain (TD) and the management TD;
Maintain inter-trust domain control structure (TDCS) for managing in the TD or other TD that are executed by the processing unit
One or more global metadatas;
It is being referred to by the TDCS and is being directed in the TDRM, virtual machine manager (VMM) or other TD extremely
The TD is maintained in one or more inter-trust domain thread control structures (TD-TCS) of few accessed control of one softward interview
Execution state;
With reference to the MOT to obtain at least one key identifier (ID) for corresponding to the encryption key for assigning to the TD, institute
Stating key ID allows the processing unit decryption to execute and assign in the context of the TD in response to the processing unit
The storage page of the TD, the storage page for assigning to the TD pass through the encryption keys;And
With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein
The matching of the guest physical address obtained from the MOT and the guest physical address accessed will allow in response to described
Processing unit executes in the context of the TD and the access of the processing unit of the storage page that assigns to the TD.
2. processing unit as described in claim 1, wherein the VMM includes TDRM component to be via extension page table (EPT)
At least one of the following provides memory management: the TD, other TD or one or more virtual machines (VM).
3. processing unit as described in claim 1, wherein the TD-TCS refers to the TDCS, wherein TDCS maintenance pair
The counting of one or more TD-TCS of the logic processor of TD described in Ying Yu, and wherein the TD-TCS stores the TD's
User executes state and management program executes state.
4. processing unit as described in claim 1, wherein the encryption key is always stored by the multi-key cipher of the processing unit
Device encrypts (MK-TME) engine and generates.
5. processing unit as claimed in claim 4, wherein the MK-TME engine is generated via the key for assigning to the TD
Multiple encryption keys of ID access are corresponded to the storage page for encrypting and decrypting the TD, and encryption and decryption
In the storage page for the long-time memory for assigning to the TD, and wherein the MOT via with each entry in the MOT
An associated key ID tracks the multiple key ID.
6. processing unit as claimed in claim 2, wherein the processing core is referred to and is accessed as the part of page traversing operation
Host-physical memory page the MOT, to access the guest-physical memory page that is mapped by the EPT.
7. processing unit as described in claim 1, wherein the TD includes at least one of the following: for manage one or
The operating system (OS) of multiple applications or the VMM for managing one or more virtual machines (VM), and wherein TD enters
Operation with by it is described processing core operation context from least one of described VMM be transferred to the TD the OS or from
The TDRM is transferred to the VMM of the TD.
8. processing unit as described in claim 1, wherein the TDRM does not include the trusted computing base (TCB) in the TD
In.
9. processing unit as described in claim 1, wherein the TDCS includes signing structure, described in the signing structure capture
The password of TD measures, and the password measurement is signed by the hardware trusted root of the processing unit, and the wherein signing structure
Proof side is provided to for verifying the password measurement.
10. processing unit as described in claim 1, wherein the processing core will also maintain the survey of the TD in the TDCS
Amount state, the TDCS are directed to from other including at least the TDRM, the VMM or described executed by the processing unit
The accessed control of the softward interview of the software of TD.
11. processing unit as described in claim 1, wherein the TDRM manages the TD and other TD.
12. a kind of method, which comprises
By executing inter-trust domain resource manager (TDRM) to manage the place of the inter-trust domain executed in processing unit (TD)
Reason device identification TD exits event;
In response to identifying that the TD exits event, the first key mark corresponding to the first encryption key for assigning to the TD is utilized
Know symbol (ID) and assigns to the TD so that the user of TD execution state and TD management program execution state to be saved in correspond to
Logic processor inter-trust domain thread control structure (TD-TCS) in, the execution state is added by first encryption key
It is close, wherein the TD-TCS is for the TDRM, the virtual machine manager (VMM) or other for carrying out the freely processing unit execution
The accessed control of the softward interview of at least one of TD;
The key ID state of the processing unit is modified as corresponding in the TDRM or VMM from the first key ID
The second key ID of at least one;And
Load TDRM is executed and state of a control and the TDRM exit information, so that the processing unit is the TDRM's
It is operated in context.
13. method as claimed in claim 12, further includes:
TD entry event is executed in the context of the TDRM;
Using the second key identifier (ID) corresponding to the second encryption key for assigning to the TDRM from corresponding to assignment
Inter-trust domain resource manager control structure (TD-RCS) load to the logic processor of the TD is specified by the TDRM
TDRM execute control, the execution state by second encryption keys, wherein the TD-RCS be used to from
The extension page table (EPT) of the TD or at least one of other VM that are executed by the processing unit are come access control;
The key ID state of the processing unit is modified as to correspond to the first key ID of the TD from second key ID;
And
The user is loaded from the TD-TCS and executes state and management program execution state, so that the processing unit exists
It is operated in the context of the TD.
14. method as claimed in claim 13, wherein the TDCS and TD-TCS via the processing unit memory institute
Table (MOT) have the right by Confidentiality protection and access control, the MOT includes the first entry for the TDCS, and described first
The first key ID is associated with by entry with the TD, wherein the MOT is right to enforce using the first key ID
The memory confidentiality of the memory access of the storage page of TD described in Ying Yu.
15. method as claimed in claim 12, wherein the MOT is via the accessed control of range registers.
16. method as claimed in claim 14, wherein from the TD- via the accessed control of the EPT and MOT
RCS structure loads the TDRM execution and state of a control, wherein the MOT includes the Article 2 for the TD-RCS structure
Mesh, second key ID is associated with by the second entry with the pages of physical memory comprising the TD-RCS, and wherein institute
It states MOT and enforces the storage for corresponding to the memory access of storage page of the TDRM using second key ID
Device confidentiality.
17. method as claimed in claim 12, wherein the VMM is root VMM comprising the TDRM is to manage one or more
A TD, wherein the TD includes non-root VMM to manage one or more virtual machines (VM), and wherein exit will be described by the TD
Handle core operation context from one or more of VM of the non-root VMM or TD be transferred to described VMM with
TDRM。
18. method as claimed in claim 12, wherein multi-key cipher total memory of the encryption key by the processing unit
(MK-TME) engine is encrypted to generate, and wherein the MK-TME engine generate via key ID assign to the multiple of the TD plus
Key is with the of short duration storage page or long-time memory page for encrypting the TD, and wherein the MOT tracking is described more
A encryption key ID, wherein one key id of the host-physical page often referred in the MOT.
19. a kind of system, the system comprises:
Memory device is to store one or more instructions;And
Processing unit, the processing unit are operatively coupled to the memory device, and the processing unit executes described one
A or multiple instruction with:
Execute inter-trust domain resource manager (TDRM) to manage inter-trust domain (TD), wherein the TDRM do not include in the TD can
Letter calculates in base (TCB);
The management program of the TD is maintained to execute state and user's execution state in inter-trust domain thread control structure (TD-TCS),
The TD-TCS is in the TDRM, virtual machine manager (VMM) or other TD that carry out the freely processing unit execution
The accessed control of the softward interview of at least one;
With reference to the MOT to obtain at least one encryption key identifier for corresponding to the encryption key for assigning to the TD
(ID), the key ID allow processing unit decryption executed in the context of the TD in response to the processing unit and
The storage page for assigning to the TD assigns to the storage page of the TD by identifying via the encryption key ID
The encryption keys;And
With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein
The matching of the guest physical address and the guest physical address accessed will allow in response to the processing unit described
Executed in the context of TD and the access of the processing unit of the storage page that assigns to the TD.
20. system as claimed in claim 19, wherein the VMM include TDRM component with via extension page table (EPT) be with
One or more memory managements that provide in lower: the TD, other TD or one or more virtual machines (VM).
21. system as claimed in claim 19, wherein the TD-TCS corresponds to the logic processor of the TD, the TD-
TCS TD exit in operation store the TD the management program execute state and the user execute state and TD into
Enter the user for loading the TD in operation and management program executes state, wherein the TD-TCS is for the next freely described processing dress
Set the accessed control of softward interview of at least one of the TDRM, other TD of the VMM or described of execution.
22. system as claimed in claim 19, wherein multi-key cipher total memory of the encryption key by the processing unit
(MK-TME) engine is encrypted to generate, and wherein the MK-TME engine generate via key ID assign to the multiple of the TD plus
Key with the of short duration storage page or long-time memory page for encrypting the TD, and wherein the MOT via with it is described
The associated key ID of each entry in MOT tracks the multiple encryption key ID.
23. system as claimed in claim 19, wherein the VMM includes the TDRM to manage the TD, wherein the TD
Including operating system (OS) or non-root VMM to manage one or more virtual machines (VM), and wherein TD enter operation will be described
The operation context of processing core is transferred to the non-root VMM of the TD from the TDRM.
24. a kind of equipment, comprising: require the component of 12 to 18 any one method for perform claim.
25. at least one machine readable media, including multiple instruction, described instruction make institute in response to executing on the computing device
State any one method that computing device executes according to claim 12 to 18.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/705562 | 2017-09-15 | ||
US15/705,562 US11687654B2 (en) | 2017-09-15 | 2017-09-15 | Providing isolation in virtualized systems using trust domains |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109508555A true CN109508555A (en) | 2019-03-22 |
Family
ID=63294028
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811074901.XA Pending CN109508555A (en) | 2017-09-15 | 2018-09-14 | Isolation is provided in virtualization system using inter-trust domain |
Country Status (5)
Country | Link |
---|---|
US (2) | US11687654B2 (en) |
EP (3) | EP3457311B1 (en) |
JP (2) | JP7118767B2 (en) |
KR (1) | KR20190031136A (en) |
CN (1) | CN109508555A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111339533A (en) * | 2020-02-14 | 2020-06-26 | 北京工业大学 | Application layer-oriented trusted cryptographic module interface design method |
CN112003937A (en) * | 2020-08-21 | 2020-11-27 | 西安寰宇卫星测控与数据应用有限公司 | Satellite data transmission method, satellite data transmission device, computer equipment and storage medium |
WO2024000565A1 (en) * | 2022-07-01 | 2024-01-04 | Intel Corporation | Methods and apparatuses to debug confidential virtual machine for processor in production mode |
CN117407864A (en) * | 2023-12-13 | 2024-01-16 | 苏州元脑智能科技有限公司 | Trusted domain expansion method, system, device, equipment and computer medium |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10621351B2 (en) * | 2016-11-01 | 2020-04-14 | Raptor Engineering, LLC. | Systems and methods for tamper-resistant verification of firmware with a trusted platform module |
US10657071B2 (en) * | 2017-09-25 | 2020-05-19 | Intel Corporation | System, apparatus and method for page granular, software controlled multiple key memory encryption |
US10606764B1 (en) * | 2017-10-02 | 2020-03-31 | Northrop Grumman Systems Corporation | Fault-tolerant embedded root of trust using lockstep processor cores on an FPGA |
US10938559B2 (en) * | 2017-12-12 | 2021-03-02 | Advanced Micro Devices, Inc. | Security key identifier remapping |
US11397692B2 (en) * | 2018-06-29 | 2022-07-26 | Intel Corporation | Low overhead integrity protection with high availability for trust domains |
US11138320B2 (en) * | 2018-12-20 | 2021-10-05 | Intel Corporation | Secure encryption key management in trust domains |
US11283800B2 (en) | 2019-03-08 | 2022-03-22 | International Business Machines Corporation | Secure interface control secure storage hardware tagging |
US11176054B2 (en) | 2019-03-08 | 2021-11-16 | International Business Machines Corporation | Host virtual address space for secure interface control storage |
US11455398B2 (en) * | 2019-03-08 | 2022-09-27 | International Business Machines Corporation | Testing storage protection hardware in a secure virtual machine environment |
US11068310B2 (en) | 2019-03-08 | 2021-07-20 | International Business Machines Corporation | Secure storage query and donation |
US11669335B2 (en) | 2019-03-28 | 2023-06-06 | Intel Corporation | Secure arbitration mode to build and operate within trust domain extensions |
US11099878B2 (en) * | 2019-06-28 | 2021-08-24 | Intel Corporation | Scalable virtual machine operation inside trust domains within the trust domain architecture |
US11842227B2 (en) * | 2019-10-10 | 2023-12-12 | Advanced Micro Devices, Inc. | Hypervisor secure event handling at a processor |
US20210200858A1 (en) * | 2019-12-28 | 2021-07-01 | Intel Corporation | Executing code in protected memory containers by trust domains |
US11494523B2 (en) * | 2020-08-14 | 2022-11-08 | Intel Corporation | Direct memory access mechanism |
US11748140B2 (en) * | 2020-08-31 | 2023-09-05 | Red Hat, Inc. | Virtual machine security policy implementation |
US11537761B2 (en) | 2020-09-25 | 2022-12-27 | Intel Corporation | Transparent network access control for spatial accelerator device multi-tenancy |
US11954047B2 (en) * | 2020-09-26 | 2024-04-09 | Intel Corporation | Circuitry and methods for spatially unique and location independent persistent memory encryption |
US20220138286A1 (en) * | 2020-11-02 | 2022-05-05 | Intel Corporation | Graphics security with synergistic encryption, content-based and resource management technology |
US20210141658A1 (en) * | 2020-11-11 | 2021-05-13 | Ravi Sahita | Method and apparatus for trusted devices using trust domain extensions |
US11848918B2 (en) | 2020-12-23 | 2023-12-19 | Oracle International Corporation | End-to-end network encryption from customer on-premise network to customer virtual cloud network using customer-managed keys |
US11856097B2 (en) * | 2020-12-23 | 2023-12-26 | Oracle International Corporation | Mechanism to provide customer VCN network encryption using customer-managed keys in network virtualization device |
US11960596B2 (en) * | 2021-03-11 | 2024-04-16 | Xilinx, Inc. | Network interface device |
US20230289479A1 (en) * | 2022-03-11 | 2023-09-14 | Intel Corporation | Bypassing memory encryption for non-confidential virtual machines in a computing system |
CN115118508B (en) * | 2022-06-28 | 2023-09-19 | 平安银行股份有限公司 | Data management method, device, electronic equipment and storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070038645A1 (en) * | 2003-09-22 | 2007-02-15 | Michel Koskas | Method for organizing a data base |
US20080082772A1 (en) * | 2006-09-29 | 2008-04-03 | Uday Savagaonkar | Tamper protection of software agents operating in a VT environment methods and apparatuses |
CN101410803A (en) * | 2006-01-24 | 2009-04-15 | 思杰系统有限公司 | Methods and systems for providing access to a computing environment |
CN102656589A (en) * | 2009-12-15 | 2012-09-05 | 微软公司 | Verifiable trust for data through wrapper composition |
CN104335549A (en) * | 2012-06-07 | 2015-02-04 | 阿尔卡特朗讯公司 | Secure data processing |
GB201510526D0 (en) * | 2015-06-16 | 2015-07-29 | Advanced Risc Mach Ltd | Data processing apparatus and method with ownership table |
US20150261576A1 (en) * | 2014-03-17 | 2015-09-17 | Vmware, Inc. | Optimizing memory sharing in a virtualized computer system with address space layout randomization enabled in guest operating systems |
CN105184113A (en) * | 2014-03-27 | 2015-12-23 | 英特尔公司 | Hardware-assisted Virtualization For Implementing Secure Video Output Path |
CN105306480A (en) * | 2009-10-15 | 2016-02-03 | 交互数字专利控股公司 | Method and device in system including the device |
CN106716434A (en) * | 2014-10-21 | 2017-05-24 | 英特尔公司 | Memory protection key architecture with independent user and supervisor domains |
US10404674B1 (en) * | 2017-02-28 | 2019-09-03 | Amazon Technologies, Inc. | Efficient memory management in multi-tenant virtualized environment |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5495614A (en) * | 1994-12-14 | 1996-02-27 | International Business Machines Corporation | Interface control process between using programs and shared hardware facilities |
US8738932B2 (en) | 2009-01-16 | 2014-05-27 | Teleputers, Llc | System and method for processor-based security |
US9117080B2 (en) | 2013-07-05 | 2015-08-25 | Bitdefender IPR Management Ltd. | Process evaluation for malware detection in virtual machines |
US9727355B2 (en) * | 2013-08-23 | 2017-08-08 | Vmware, Inc. | Virtual Hadoop manager |
US9652276B2 (en) * | 2014-09-17 | 2017-05-16 | International Business Machines Corporation | Hypervisor and virtual machine protection |
GB2532415A (en) | 2014-11-11 | 2016-05-25 | Ibm | Processing a guest event in a hypervisor-controlled system |
EP3160103B1 (en) * | 2014-12-30 | 2019-11-20 | Huawei Technologies Co., Ltd. | Method, apparatus and system for encryption/decryption in virtualization system |
GB2539435B8 (en) * | 2015-06-16 | 2018-02-21 | Advanced Risc Mach Ltd | Data processing memory access control, in which an owning process for a region of memory is specified independently of privilege level |
GB2539433B8 (en) * | 2015-06-16 | 2018-02-21 | Advanced Risc Mach Ltd | Protected exception handling |
US10102151B2 (en) * | 2015-11-06 | 2018-10-16 | International Business Machines Corporation | Protecting a memory from unauthorized access |
US20170277898A1 (en) * | 2016-03-25 | 2017-09-28 | Advanced Micro Devices, Inc. | Key management for secure memory address spaces |
US10255202B2 (en) | 2016-09-30 | 2019-04-09 | Intel Corporation | Multi-tenant encryption for storage class memory |
US20180165224A1 (en) * | 2016-12-12 | 2018-06-14 | Ati Technologies Ulc | Secure encrypted virtualization |
US10353729B1 (en) * | 2017-03-24 | 2019-07-16 | Intuit Inc. | Managing service dependencies across virtual machines in a development environment |
US20190004973A1 (en) | 2017-06-28 | 2019-01-03 | Intel Corporation | Multi-key cryptographic memory protection |
-
2017
- 2017-09-15 US US15/705,562 patent/US11687654B2/en active Active
-
2018
- 2018-06-27 JP JP2018121961A patent/JP7118767B2/en active Active
- 2018-08-13 KR KR1020180094418A patent/KR20190031136A/en active IP Right Grant
- 2018-08-15 EP EP18189207.6A patent/EP3457311B1/en active Active
- 2018-08-15 EP EP21175141.7A patent/EP3885958A1/en active Pending
- 2018-08-15 EP EP20152004.6A patent/EP3657378B1/en active Active
- 2018-09-14 CN CN201811074901.XA patent/CN109508555A/en active Pending
-
2022
- 2022-08-03 JP JP2022124071A patent/JP2022172095A/en active Pending
-
2023
- 2023-04-05 US US18/131,199 patent/US20230315857A1/en active Pending
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070038645A1 (en) * | 2003-09-22 | 2007-02-15 | Michel Koskas | Method for organizing a data base |
CN101410803A (en) * | 2006-01-24 | 2009-04-15 | 思杰系统有限公司 | Methods and systems for providing access to a computing environment |
US20080082772A1 (en) * | 2006-09-29 | 2008-04-03 | Uday Savagaonkar | Tamper protection of software agents operating in a VT environment methods and apparatuses |
CN105306480A (en) * | 2009-10-15 | 2016-02-03 | 交互数字专利控股公司 | Method and device in system including the device |
CN102656589A (en) * | 2009-12-15 | 2012-09-05 | 微软公司 | Verifiable trust for data through wrapper composition |
CN104335549A (en) * | 2012-06-07 | 2015-02-04 | 阿尔卡特朗讯公司 | Secure data processing |
US20150261576A1 (en) * | 2014-03-17 | 2015-09-17 | Vmware, Inc. | Optimizing memory sharing in a virtualized computer system with address space layout randomization enabled in guest operating systems |
CN105184113A (en) * | 2014-03-27 | 2015-12-23 | 英特尔公司 | Hardware-assisted Virtualization For Implementing Secure Video Output Path |
CN106716434A (en) * | 2014-10-21 | 2017-05-24 | 英特尔公司 | Memory protection key architecture with independent user and supervisor domains |
GB201510526D0 (en) * | 2015-06-16 | 2015-07-29 | Advanced Risc Mach Ltd | Data processing apparatus and method with ownership table |
GB2539428A (en) * | 2015-06-16 | 2016-12-21 | Advanced Risc Mach Ltd | Data processing apparatus and method with ownership table |
US20180129611A1 (en) * | 2015-06-16 | 2018-05-10 | Arm Limited | Data processing apparatus and method with ownership table |
US10404674B1 (en) * | 2017-02-28 | 2019-09-03 | Amazon Technologies, Inc. | Efficient memory management in multi-tenant virtualized environment |
Non-Patent Citations (2)
Title |
---|
HANJUN SHIN等: "TopDom: an efficient and deterministic method for identifying topological domains in genomes", pages 1 - 13, Retrieved from the Internet <URL:《网页在线公开:https://academic.oup.com/nar/article/44/7/e70/2467818?login=true》> * |
郑显义等: "系统安全隔离技术研究综述", 《计算机学报》, vol. 40, no. 6, 4 July 2017 (2017-07-04), pages 1057 - 1079 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111339533A (en) * | 2020-02-14 | 2020-06-26 | 北京工业大学 | Application layer-oriented trusted cryptographic module interface design method |
CN111339533B (en) * | 2020-02-14 | 2023-04-28 | 北京工业大学 | Application layer-oriented trusted cryptographic module interface design method |
CN112003937A (en) * | 2020-08-21 | 2020-11-27 | 西安寰宇卫星测控与数据应用有限公司 | Satellite data transmission method, satellite data transmission device, computer equipment and storage medium |
CN112003937B (en) * | 2020-08-21 | 2023-08-15 | 西安寰宇卫星测控与数据应用有限公司 | Satellite data transmission method, device, computer equipment and storage medium |
WO2024000565A1 (en) * | 2022-07-01 | 2024-01-04 | Intel Corporation | Methods and apparatuses to debug confidential virtual machine for processor in production mode |
CN117407864A (en) * | 2023-12-13 | 2024-01-16 | 苏州元脑智能科技有限公司 | Trusted domain expansion method, system, device, equipment and computer medium |
CN117407864B (en) * | 2023-12-13 | 2024-02-27 | 苏州元脑智能科技有限公司 | Trusted domain expansion method, system, device, equipment and computer medium |
Also Published As
Publication number | Publication date |
---|---|
EP3885958A1 (en) | 2021-09-29 |
JP7118767B2 (en) | 2022-08-16 |
US11687654B2 (en) | 2023-06-27 |
KR20190031136A (en) | 2019-03-25 |
JP2022172095A (en) | 2022-11-15 |
US20230315857A1 (en) | 2023-10-05 |
EP3457311A1 (en) | 2019-03-20 |
JP2019053720A (en) | 2019-04-04 |
US20190087575A1 (en) | 2019-03-21 |
EP3657378B1 (en) | 2021-05-26 |
EP3657378A1 (en) | 2020-05-27 |
EP3457311B1 (en) | 2020-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109508555A (en) | Isolation is provided in virtualization system using inter-trust domain | |
CN105474227B (en) | Safe storage subregion again | |
EP3671515B1 (en) | Method and apparatus for trust domain creation and destruction | |
US20210004483A1 (en) | Secure Public Cloud | |
CN106575261A (en) | Memory initialization in a protected region | |
CN104954356B (en) | The shared interconnection of protection is to be used for virtual machine | |
TWI697804B (en) | Platform migration of secure enclaves | |
US11748146B2 (en) | Scalable virtual machine operation inside trust domains within the trust domain architecture | |
CN110659244A (en) | Inline coding capability | |
CN108509250A (en) | The safe public cloud of host computer control is verified with shielded guest machine | |
CN107851170A (en) | Support the configurable level of security for memory address range | |
CN114902225A (en) | Cryptographic computation in a multi-tenant environment | |
CN110472444A (en) | Prevent the unauthorized access to encrypted memory | |
CN110321729A (en) | The memory paging in virtualization system is supported using trust domain | |
EP3671522A1 (en) | Secure encryption key management in trust domains | |
WO2014122554A1 (en) | Key-based data security management | |
CN109690546A (en) | It supports to subscribe to the excess of client computer enclave storage page | |
CN107924442A (en) | Method and apparatus for lightweight virtualization context | |
CN117931376A (en) | Scalable virtual machine operations within trust domains within trust domain architecture |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |